AZURE + CDN results in "The redirect URI is wrong"

Exact same issue as this forum post https://auth0.com/forum/t/aws-cdn-results-in-the-redirect-uri-is-wrong/3575 I have followed this tutorial to implement a CDN for our ASP.NET MVC Azure WebApp. Tutorial - Add Azure CDN to an Azure App Service web app | Microsoft Learn However, on remapping the CNAME of our custom URL to the new CDN URL, we encounter the error message: 'The redirect URI is wrong. You send <CUSTOM URL>, and we expected <ORIGINAL URL>' when attempting to login. We are using lock 10.18, the lock setup is below. It seems the CDN URL is creating this redirect issue, has anyone else experienced this?

var dbConn = '@ConfigurationManager.AppSettings"Auth0DefaultConnection"]';
var scope = 'openid app_metadata';
var parser = document.createElement('a');
parser.href = '@ConfigurationManager.AppSettings"Auth0Domain"]';
var lock = new Auth0Lock('@ConfigurationManager.AppSettings"Auth0ClientID"]', parser.hostname, {
		languageDictionary: {
			usernameInputPlaceholder: "username or email",
			password: "password",
			title: ""
		},
		container: 'root',
		defaultDatabaseConnection: dbConn,
		allowSignUp: false,
		allowForgotPassword: true,
		auth: {
			redirectUrl: window.location.origin + '/signin-auth0',
			responseType: 'code',
			sso: true,
			scope: scope,
		},
	});

I might be missing something, but your Lock configuration is using a dynamic redirect URL, due to the usage of window.location.origin.

If you have more than one hostname/domain through which you can access the site then you’ll need to add the different possibilities in the allowed callback URL’s configuration in the client application settings.

@jmangelo thanks for feedback. I have enabled all URLs in question in the callback URL section, it seems its not a case of an unallowed URL but rather a mismatch of which URL is expected.

Im cant be sure but i think its because the CDNs Origin HostName URL is our Azure generated webapp URL and the redirection between the CDN and Origin is causing this issue.

Ie

  1. Try login from custom URL (CNAME points to CDN URL)
  2. Auth0 does a redirect, (CustomURL points to CDN, which points to Origin)
  3. Origin seems to return to Auth0 causing the issue.

CustomUrl <-> CDNURL <-> OriginURL

Managed to solve this by overriding the OnCustomizeTokenExchangeRedirectUri on the Auth0AuthenticationProvider OWIN middleware options which intercepts the state parameter passed through from the lock screen. I added a parameter origin to the state parameter.

LOCK

lock.on('hash_parsed', function (hash) {
    // There is no hash, which means that this is the user's first
    // visit, i.e. the authenticated or error events
    // haven't fired
    var returnUrl = getParameterByName('ReturnUrl') || "";
    var options = { auth: { params: { state: "origin="+window.location.origin+"&ru=" + encodeURIComponent(returnUrl), scope: scope } } };

   if (!hash) {
        lock.show(options);
    }
});

MIDDLEWARE

 OnCustomizeTokenExchangeRedirectUri = context =>
                    {
                        var uri = context.Request.Uri;
                        if (context.Request.Query"state"]!=null && context.Request.Query"state"].Contains("origin="))
                        {
                            var parsed = HttpUtilities.ParseQueryString(context.Request.Query"state"]);
                            var redirectUri = parsed"origin"];
                            context.RedirectUri = redirectUri;
                        }
                    },

The HttpUtillities method is from the Auth0 AspNet Github Repo. auth0-aspnet-owin/HttpUtilities.cs at c70a13ff4986ee882fe5f7690e08ad91fcd74b04 · auth0/auth0-aspnet-owin · GitHub

@jmangelo I am having the same issue when using Azure Web Apps + Azure Application gateway. I get the following error:
“The redirect URI is wrong. You send https://portal-testing.azurewebsites.net, and we expected https://test-portal.customsite.com”. I made sure both above URL’s are in the allow callback URL list.

Below is the authorize call I am making:
https://{xxxtest}.auth0.com/authorize?client_id={clientid}&response_type=code&redirect_uri= https://test-portal.customsite.com/signin-auth0&state=ru=/account/index?returnUrl=&scope=openid%20app_metadata%20name%20email%20user_id
I am using Lock login widget via Auth0 hosted login page.

Any ideas on what might be causing this error?

Thanks,
Uday