Auth0 Home Blog Docs

AZURE + CDN results in "The redirect URI is wrong"



Exact same issue as this forum post I have followed this tutorial to implement a CDN for our ASP.NET MVC Azure WebApp. However, on remapping the CNAME of our custom URL to the new CDN URL, we encounter the error message: 'The redirect URI is wrong. You send <CUSTOM URL>, and we expected <ORIGINAL URL>' when attempting to login. We are using lock 10.18, the lock setup is below. It seems the CDN URL is creating this redirect issue, has anyone else experienced this?

var dbConn = '@ConfigurationManager.AppSettings"Auth0DefaultConnection"]';
var scope = 'openid app_metadata';
var parser = document.createElement('a');
parser.href = '@ConfigurationManager.AppSettings"Auth0Domain"]';
var lock = new Auth0Lock('@ConfigurationManager.AppSettings"Auth0ClientID"]', parser.hostname, {
		languageDictionary: {
			usernameInputPlaceholder: "username or email",
			password: "password",
			title: ""
		container: 'root',
		defaultDatabaseConnection: dbConn,
		allowSignUp: false,
		allowForgotPassword: true,
		auth: {
			redirectUrl: window.location.origin + '/signin-auth0',
			responseType: 'code',
			sso: true,
			scope: scope,


I might be missing something, but your Lock configuration is using a dynamic redirect URL, due to the usage of window.location.origin.

If you have more than one hostname/domain through which you can access the site then you’ll need to add the different possibilities in the allowed callback URL’s configuration in the client application settings.


@jmangelo thanks for feedback. I have enabled all URLs in question in the callback URL section, it seems its not a case of an unallowed URL but rather a mismatch of which URL is expected.

Im cant be sure but i think its because the CDNs Origin HostName URL is our Azure generated webapp URL and the redirection between the CDN and Origin is causing this issue.


  1. Try login from custom URL (CNAME points to CDN URL)
  2. Auth0 does a redirect, (CustomURL points to CDN, which points to Origin)
  3. Origin seems to return to Auth0 causing the issue.

CustomUrl <-> CDNURL <-> OriginURL


Managed to solve this by overriding the OnCustomizeTokenExchangeRedirectUri on the Auth0AuthenticationProvider OWIN middleware options which intercepts the state parameter passed through from the lock screen. I added a parameter origin to the state parameter.


lock.on('hash_parsed', function (hash) {
    // There is no hash, which means that this is the user's first
    // visit, i.e. the authenticated or error events
    // haven't fired
    var returnUrl = getParameterByName('ReturnUrl') || "";
    var options = { auth: { params: { state: "origin="+window.location.origin+"&ru=" + encodeURIComponent(returnUrl), scope: scope } } };

   if (!hash) {;


 OnCustomizeTokenExchangeRedirectUri = context =>
                        var uri = context.Request.Uri;
                        if (context.Request.Query"state"]!=null && context.Request.Query"state"].Contains("origin="))
                            var parsed = HttpUtilities.ParseQueryString(context.Request.Query"state"]);
                            var redirectUri = parsed"origin"];
                            context.RedirectUri = redirectUri;

The HttpUtillities method is from the Auth0 AspNet Github Repo.


@jmangelo I am having the same issue when using Azure Web Apps + Azure Application gateway. I get the following error:
“The redirect URI is wrong. You send, and we expected”. I made sure both above URL’s are in the allow callback URL list.

Below is the authorize call I am making:
I am using Lock login widget via Auth0 hosted login page.

Any ideas on what might be causing this error?