CODEWITHSUNDEEP
auth0
Peter
Peter

Reputation: 2394

Auth0 Callback URL mismatch for new allowed callback URL

I have an Auth0 application with a few localhost URLs as allowed callback URLs. Example: https://127.0.0.1:8080/login, https://127.0.0.1:8080/results, https://127.0.0.1:8080/user

When I start the authentication flow using one of the previous allowed URLs, everything works as expected. Example: https://tenant.auth0.com/authorize?audience=my-api&response_type=token&client_id=client-id&redirect_uri=https://127.0.0.1:8080/results

I want to support a new allowed URL: https://mynicedomain.com So I added it to the allowed list; however, it doesn't work when I go to: https://tenant.auth0.com/authorize?audience=my-api&response_type=token&client_id=client-id&redirect_uri=https://mynicedomain.com

I tried adding / in both, Auth0 conf and in the URL. Also, add it as allowed URL origins but I can't still make it work.

Did anyone have a similar issue? I read several posts and Auth0 docs and I cannot find what I am doing wrong.

Upvotes: 0

Views: 2708

Answers (1)

meklarian
meklarian

Reputation: 6625

I'm not certain this is an exact match for the OP's issue, but given that the symptoms are the same, in my scenario the actual issue was caused by a proxy in front of the application using http and not https to speak to the application at the host where the deployed application lives (eg. production).

The issue is described at this forum link in more detail: https://community.auth0.com/t/asp-net-core-loginexternal-not-working-with-https/7824

The way to fix it for applications registered as Regular Web Application at Auth0 is to intercept the redirect to identity provider and forcefully rewrite the scheme to be https.

Implementing this change in code will resemble the following (in Program.cs in C# for Blazor, or whereever one's setup code resides):

options.Events = new OpenIdConnectEvents
{
    OnRedirectToIdentityProvider = (context) => {
        var builder = new UriBuilder(context.ProtocolMessage.RedirectUri);

        builder.Scheme = "https";

        context.ProtocolMessage.RedirectUri = builder.ToString();

        return Task.CompletedTask;
    },

    // ... more handlers here, etc.
};

Note that if the builder is still trying to redirect to the normal http port (80) even after forcing protocol scheme, then more aggressive URI rewriting may be needed.

Example:

  1. Callback URL at Auth0: https://my-app-hostname/
  2. Builder is forced to https, but somehow the internals force http instead by port: https://my-app-hostname:80/
  3. Registering that url with explicit port 80 works at Auth0, but then on callback it fails at the proxy because https://my-app-hostname:80/ is not valid (listener on port 80 is not https).

Upvotes: 0

Related Questions