Callback url results in error "The redirect URI is wrong. You sent http..."

lihua.zhang · January 25, 2023, 11:51pm

Problem statement

When using the Maven mvc-auth-commons SDK the following error is returned when using the SDK behind a reverse proxy:

"com.auth0.exception.APIException: Request failed with status code 403: **The redirect URI is wrong. You sent [http://domain1](http://domain1/), and we expected [https://domain2](https://domain2/)** at com.auth0.net.ExtendedBaseRequest.createResponseException(ExtendedBaseRequest.java:131) ~[auth0-1.44.1.jar:1.44.1] "

Cause

The SDK cannot be used behind a reverse proxy that is not configured with end-to-end encryption. Auth0 expects a connection secured by SSL encryption, and the proxy returns an HTTP URL.

Solution

Ensure any proxy used in the connection is configured with end-to-end SSL Encryption.

Related Resources:

github.com/auth0/auth0-java-mvc-common

Fix error 'You sent http://..., and we expected https://..'

auth0:master ← jermeo:master

opened 10:22PM - 22 Sep 21 UTC

jermeo

+57 -1

### Changes Hello! My company has the need to use Auth0 SDK behind nginx. B…ut this SDK can't be used behind a reverse proxy which manage the SSL termination. It's not convenient to manage SSL directly on the backend. Without that, we fall always into the error 'You sent http://..., and we expected https://..' during the validation of token. I've made a little change in the RequestProcessor class, more precisely in the getVerifiedTokens method. I added a method to take into account the header X-Forwarded-Proto if it exists. Regards ### References support ticket https://community.auth0.com/t/http-https-protocols-behind-load-balancer/8834 https://community.auth0.com/t/error-on-redirect-urls/55009 https://community.auth0.com/t/http-https-protocols-issue/11940 ### Testing Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors. - [x] This change adds test coverage - [x] This change has been tested on the latest version of Java or why not ### Checklist - [x] I have read the [Auth0 general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) - [x] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) - [x] All existing and new tests complete without errors