We’re seeing unauthorized requests consistently targeting our Auth0’s /authorize endpoint over the past few days. These requests originate from different IPs and attempt various unauthorized redirect URLs. Some requests even use malformed client IDs, like <my_client_id>/robots.txt. All attempts are failing, but this seems to be automated bot activity probing for vulnerabilities.
I have just reviewed your tenant logs and noticed the same types of logs you mentioned, specifically with Callback URL mismatch errors.
Usually, when your app calls the login page, the request URL points to the /authorize endpoint with all of the correct values for the domain,client_id,audience,redirect_uri, etc. Exposing the /authorize endpoint is not inherently dangerous since it is intentionally public as part of the OIDC and OAuth 2.0 flow.
However, this could become a threat if an attacker is able to successfully access your login page (/authorize) and then perform an attack on your users.
In this case, you should enable the features available in Attack Protection. I see that you already have these features enabled, so your application is protected here.
At this point, Auth0 will continue to log these failed login events and prevent them from accessing your login page.