Auth0 Blazor wrong redirect_url behind NGINX reverse proxy

I have a .NET 8 Blazor application that follows the advice in the Auth0 tutorial. It works great on my development machine, but when I move it out to our development servers that run behind an NGINX reverse proxy, the login-process fails.

Clicking the login button correctly goes to the login handler.
The login handler calls the following code:

        var authenticationProperties = new LoginAuthenticationPropertiesBuilder()
            .WithRedirectUri(returnUrl)
            .Build();

        await httpContext.ChallengeAsync(Auth0Constants.AuthenticationScheme, authenticationProperties);

The problem is that this generates a redirect to our Auth0 server’s Authorize endpoint that includes “redirect_uri=http%3A%2F%2F127.0.0.1%3A5038%2Fcallback” in the URL query string. Because of this, after the user logs in, their browser is sent to “http://127.0.01:5038/callback” which doesn’t work unless it is called from a browser on the server.

I assume that Auth0 is choosing that URI because that is what the application is listening on, even though the Request URL in the request header is https://TheProperExternalUrl/ …, and the returnUrl value set in the LogoutAuthenticationPropertiesBuilder is https://TheProperExternalUrl/PageLoginButtonWasHitOn (The NGINX reverse proxy communicates the external URLs to the internal URLs, and the firewall prevents any outside machines from accessing the internal URLs)
How can I tell Auth0 to set the proper redirect_url in the URL that httpContext.ChallengeAsync produces?

If it matters, the same reverse proxy setup was used with Auth0 in .NET6 and .NET7 without any issues. This behavior began when switching to Blazor InteractiveAutoRenderMode and .NET8 and I have not been able to get it working since.

Thanks @gwilson for reporting this, we have provided a FAQ about this here auth0-aspnetcore-authentication/FAQ.md at main · auth0/auth0-aspnetcore-authentication · GitHub which will help resolve this issue.

Warm regards.

1 Like

Two comments for anyone with the same issue:

  1. The first issue that needed to be fixed was to set up header forwarding as described in the FAQ link mentioned above.
  2. After that was resolved, I discovered that NGINX requires one additional tweak to work with Auth0: You must increase the proxy buffer sizes from default because of the large amount of header info that Auth0 uses. Details here: Got “502 Bad Gateway” on login callback when using NGINX reverse proxy - Auth0 Community)
2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.