Auth0 Home Blog Docs

Http/https protocols behind load balancer

callback-urls

#1

I’m using Spring Boot and AWS Elastic Beanstalk with a load balancer, and getting the following error when trying to log in:

Request failed with status code 403: The redirect URI is wrong. You send http://xxxxxxx.net, and we expected https://xxxxxxx.net

Everything works in my development environment, and on a single instance AWS deployment. Upon investigation, it looks like the way the load balancer forwards requests is making the Auth0 RequestProcessor calculate a callback URI that starts with http:// instead of https://
What do I do about this? It seems like it is a new issue, since I had this working at some point in the past…


#2

Based on the information available I would agree with your investigation and it’s likely a case of the TLS being terminated earlier and the last legs of the call are performed through HTTP which leads the application in error.

For Spring Boot I have to confess that I would not know exactly where to focus in terms of code, but in general the resolution needs to be that the client application forces HTTPS when building the redirect URL’s even when it is not being accessed through HTTPS.


#3

Thanks @jmangelo for you answer: I actually already have something of a hack to get my application to formulate the URLs correctly (by checking the request’s “X-Forwarded-Proto” header). So the Auth0 Lock is successfully calling back to my app via https.

I think the problem at this point is that the RequestProcessor rejects the callback, because the request it is processing has http headers, but was originally addressed to https: RequestProcessor calls req.getRequestURL().toString()

I don’t think I can (or want to) tamper with that request before sending it to the Auth0 classes? Would there eventually be a way for Auth0 to have an option for running behind a load balancer?


#4

In case anyone else has this problem:
The solution on AWS Elastic Beanstalk is to configure the load balancer and EC2 instances for end-to-end https, either passing the request through untouched an terminating https on each instance, or decrypting at the load balancer, then creating a separate HTTPS connection between the load balancer to the instance. At the moment, the AWS docs are here: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html


#5

OK sorry one last comment: the most important step was actually configuring the spring boot application to listen on https:

https://stackoverflow.com/questions/30896234/how-set-up-spring-boot-to-run-https-http-ports

then making sure nginx on each instance forwards on https (make sure the https listener port matches the port in /nginx/conf.d/elasticbeanstalk/00_application.conf):

http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/java-tomcat-proxy.html


#6

Hola folks,

I had similar issues when working with ASP.NET MVC5. After some research I was able to find a solution that worked for me over here: https://stackoverflow.com/questions/48776900/facebook-login-recommending-to-require-https-how-to-configure-http-redirect-ur

The issue in the above question was with FB and not Auth0, but the problem is similar, and the solution seems to work.


#7