Please include the following information in your post:
Which SDK this is regarding: auth0-java-mvc-common
SDK Version: 1.9.2
Platform Version: Java 8
Code Snippets/Error Messages/Supporting Details/Screenshots:
I’m using pretty much exactly what’s in the quickstart.
authenticationControllerProvider.getController(req,res).
String authorizationCode = request.getParameter(KEY_CODE);
Tokens codeExchangeTokens = null;
try {
if (responseTypeList.contains(KEY_ID_TOKEN)) {
// Implicit/Hybrid flow: must verify front-channel ID Token first
tokenVerifier.verify(frontChannelTokens.getIdToken(), verifyOptions);
}
if (responseTypeList.contains(KEY_CODE)) {
// Code/Hybrid flow
String redirectUri = request.getRequestURL().toString();
codeExchangeTokens = exchangeCodeForTokens(authorizationCode, redirectUri);
if (!responseTypeList.contains(KEY_ID_TOKEN)) {
// If we already verified the front-channel token, don't verify it again.
String idTokenFromCodeExchange = codeExchangeTokens.getIdToken();
if (idTokenFromCodeExchange != null) {
tokenVerifier.verify(idTokenFromCodeExchange, verifyOptions);
}
}
}
} catch (TokenValidationException e) {
Here is where it goes wrong. The redirect URL should behttps://something.com/callback
But because the application itself is running on HTTP, and HTTPS is only on the reverse proxy, this gets set to http, and it fails (I don’t allow https outside of local testing).
How the hell do I work around this? Writing the verifiers, and everything else basically from scratch because of this single issue seems like a nightmare.
1 Like