I might be missing something, but your Lock configuration is using a dynamic redirect URL, due to the usage of window.location.origin.
If you have more than one hostname/domain through which you can access the site then you’ll need to add the different possibilities in the allowed callback URL’s configuration in the client application settings.
@jmangelo thanks for feedback. I have enabled all URLs in question in the callback URL section, it seems its not a case of an unallowed URL but rather a mismatch of which URL is expected.
Im cant be sure but i think its because the CDNs Origin HostName URL is our Azure generated webapp URL and the redirection between the CDN and Origin is causing this issue.
Ie
Try login from custom URL (CNAME points to CDN URL)
Auth0 does a redirect, (CustomURL points to CDN, which points to Origin)
Origin seems to return to Auth0 causing the issue.
Managed to solve this by overriding the OnCustomizeTokenExchangeRedirectUri on the Auth0AuthenticationProvider OWIN middleware options which intercepts the state parameter passed through from the lock screen. I added a parameter origin to the state parameter.
LOCK
lock.on('hash_parsed', function (hash) {
// There is no hash, which means that this is the user's first
// visit, i.e. the authenticated or error events
// haven't fired
var returnUrl = getParameterByName('ReturnUrl') || "";
var options = { auth: { params: { state: "origin="+window.location.origin+"&ru=" + encodeURIComponent(returnUrl), scope: scope } } };
if (!hash) {
lock.show(options);
}
});
MIDDLEWARE
OnCustomizeTokenExchangeRedirectUri = context =>
{
var uri = context.Request.Uri;
if (context.Request.Query"state"]!=null && context.Request.Query"state"].Contains("origin="))
{
var parsed = HttpUtilities.ParseQueryString(context.Request.Query"state"]);
var redirectUri = parsed"origin"];
context.RedirectUri = redirectUri;
}
},