Callback URL uses http instead of https

maury · January 31, 2023, 1:31pm

Hey , I have added Auth0 to my MVC app, it works perfectly in DEVELOPMENT but on PRODUCTION(DigitalOcean) it gives me that I got a Callback URL mismatch:

Log:

{
“date”: “2023-01-31T13:18:48.936Z”,
“type”: “f”,
“description”: “Callback URL mismatch. Give yourself a better website » MY DOMAIN is not in the list of allowed callback URLs”,
“connection_id”: “”,
“ip”: “2800:810:5a8:80c2:f000:aac2:2f68:4aeb”,
“user_agent”: “Chrome 109.0.0 / Windows 10.0.0”,
“details”: {
“body”: {},
“qs”: {
“client_id”: “vHcUKPl8hr4AbiAAEEP8jUhP3IZQaPQQ”,
“redirect_uri”: “Give yourself a better website » MY DOMAIN”,
“response_type”: “id_token”,
“scope”: “openid profile”,
“response_mode”: “form_post”,
“nonce”: “638107679286067585.OGZlNTI2OWQtNDlmMi00M2JjLWFhMTYtY2I0M2E5NTMyZjY1NTIxZTQ0NTUtMzU2ZS00MTYwLWJlNmQtOWU2ODMxYzUzY2E4”,
“auth0Client”: “eyJuYW1lIjoiYXNwbmV0Y29yZS1hdXRoZW50aWNhdGlvbiIsInZlcnNpb24iOiIxLjEuMCJ9”,
“state”: “CfDJ8HoRyNfl4AROnvm-SSYUBOAswwYmKypXEYaTkYtEzR9YRjFGsgATtG8ufYgKnz-5XdEtzSv3wzWwbAUCx08JUuxZJSX5gdTWSDG5dkAKJbE13DzFl9UWXcM0BpAz9EI2F8CnZ-wA0MUiQ2gZR_jT6irnzAyQDwQAw5SSIXbiekcWD6z0DU40tMkJEknSuWif89-CPniUu8QINMlJEYOotBwc-0DcMq6hGM7LE2sYIDtsvhexpFpVcOepSm8aaqy_OJXBINj4kah95ZvFi8Jh_Wf4m3m5XU4NOE0-k69OrZ9bN5rV7Jt6h_Q5K718iW1nsw”,
“x-client-SKU”: “ID_NET6_0”,
“x-client-ver”: “6.25.1.0”
},
“error”: {
“message”: “Callback URL mismatch. Give yourself a better website » MY DOMAIN is not in the list of allowed callback URLs”,
“oauthError”: “Callback URL mismatch. Give yourself a better website » MY DOMAIN is not in the list of allowed callback URLs. Please go to ‘https://manage.auth0.com/#/applications/vHcUKPl8hr4AbiAAEEP8jUhP3IZQaPQQ/settings’ and make sure you are sending the same callback url from your application.”,
“payload”: {
“message”: “Callback URL mismatch. Give yourself a better website » MY DOMAIN is not in the list of allowed callback URLs”,
“code”: “unauthorized_client”,
“status”: 403,
“name”: “CallbackMismatchError”,
“authorized”: [
“Give yourself a better website » MY DOMAIN”
],
“attempt”: “http://my-domain/callback”,
“client”: {
“clientID”: “vHcUKPl8hr4AbiAAEEP8jUhP3IZQaPQQ”
},
“log_url”: “https://manage.auth0.com/#/logs/”
},
“type”: “callback-url-mismatch”
},
“session_id”: “gl9C4ZCBlTQNbYASgKew0mKPR6vmUwVh”
},
“hostname”: “dev-ggxof8bd75l4qzbi.us.auth0.com”,
“auth0_client”: {
“name”: “aspnetcore-authentication”,
“version”: “1.1.0”
},
“log_id”: “90020230131131851753889066341659355572805083499088314386”,
“_id”: “90020230131131851753889066341659355572805083499088314386”,
“isMobile”: false,
“id”: “90020230131131851753889066341659355572805083499088314386”
}

Auth0 config:

Program.cs:

using Auth0.AspNetCore.Authentication;
using Microsoft.Data.Sqlite;
using Microsoft.EntityFrameworkCore;
var builder = WebApplication.CreateBuilder(args);
if (Environment.GetEnvironmentVariable(“ENVIRONMENT”) == “DEVELOPMENT”)
{
var inMemorySqlite = new SqliteConnection(“Data Source=Shareable;Mode=Memory;Cache=Shared”);
builder.Services.AddDbContext(
options => options.UseSqlite(inMemorySqlite).LogTo(Console.WriteLine, LogLevel.Information)
);
builder.Services.AddScoped<DbContext, FeatureFlagContext>();
}
else
{
var postgreSqlConnectionString = Environment.GetEnvironmentVariable(
“RELATIONAL_DATABASE_CONNECTION_STRING”
);
builder.Services.AddDbContext(
options => options.UseNpgsql(postgreSqlConnectionString)
);
builder.Services.AddScoped<DbContext, FeatureFlagContext>();
}
// Add services to the container.
builder.Services.AddControllersWithViews();
builder.Services.AddAuth0WebAppAuthentication(options =>
{
options.Domain = Environment.GetEnvironmentVariable(“AUTH0_DOMAIN”);
options.ClientId = Environment.GetEnvironmentVariable(“AUTH0_CLIENT_ID”);
});
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler(“/Home/Error”);
// The default HSTS value is 30 days. You may want to change this for production scenarios, see Enforce HTTPS in ASP.NET Core | Microsoft Learn.
app.UseHsts();
}
using (var scope = app.Services.CreateScope())
{
var services = scope.ServiceProvider;
DbContext context;
if (Environment.GetEnvironmentVariable(“ENVIRONMENT”) == “DEVELOPMENT”)
{
context = services.GetRequiredService();
context.Database.Migrate();
}
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllerRoute(name: “default”, pattern: “{controller=Home}/{action=Index}/{id?}”);
app.Run();
public partial class Program { }

Thank you in advance.

rueben.tiow · January 31, 2023, 11:18pm

Hi @maury,

Thanks for reaching out to the Auth0 Community!

I have just investigated your tenant logs and found that there was indeed a Callback URL mismatch error.

From the logs, I found that the login request was passing in a different URL for the redirect_uri than the one expected in the Callback URL.

Given that, I recommend checking your /authorize request, specifically the redirect_uri query parameter, to make sure the URL points to the URL specified in your Allowed Callback URLs of your Application’s settings.

I hope this helps!

Please let me know if you have any additional questions.

Thanks,
Rueben

maury · February 1, 2023, 1:34pm

Hey @rueben.tiow ,

Thanks for reply my thread.

Would you explain me like I’m five this?:

Given that, I recommend checking your /authorize request, specifically the redirect_uri query parameter, to make sure the URL points to the URL specified in your Allowed Callback URLs of your Application’s settings.

I didn’t understand pretty well what I have to do. Where I check my /authorize request? The redirect_uri points me that it’s fetching the url with HTTP

But in my allowed callback urls I have it with httpS

rueben.tiow · February 1, 2023, 9:09pm

Hi @maury,

Thank you for your reply.

Essentially, you will need both the redirect_uri and Callback URL to match.

For this case, you can add the http URL to your Allowed Callback URLs list and give the login another try. It should fix the issue.

Please let me know how this goes for you.

Thanks,
Rueben

maury · February 1, 2023, 9:22pm

I had to add this to my Program.cs to make it work:

app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedProto
});

Thank you for your time.

system · February 15, 2023, 9:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Callback URL mismatch even when callback is put in Help auth0 , api , login	2	1429	July 13, 2024
Did Auth0 start forcing callback urls to use https? Help http	3	4327	December 31, 2019
Only HTTP works but not HTTPS for Allowed Callback/Logout URLs Help configuration , application	1	42	September 21, 2024
Callback mismatch and wrong redirect_uri Help login-experience , new-universal-login-experience	4	23	November 1, 2024
Not able to login in production Help auth0 , login	2	2472	March 3, 2023

Callback URL uses http instead of https

Related Topics