It seems that the part failing is the exchange of a code for a the authentication results (access_token and others). When you exchange the code for a token you need to provide the client authentication data (client_id and client_secret), the code you received, the grant type (authorization_code) and the redirect_uri you originally provided (see Add Login Using the Authorization Code Flow for more information on what goes on under the hood).
Are you using our quickstart (Auth0 Python SDK Quickstarts: Login) as guidance? If so, the SDK should take care of providing the expected parameters when doing the code exchange (Auth0 Python SDK Quickstarts: Login).
If not, follow your code to make sure that the redirect_uri originally provided in the /authorize request is also included in the /oauth/token request from the callback handler.
I’m also noticing this. It seems to be intermittent, but if there is a problem, I’m inclined to say it’s on auth0’s side. There is no way to pass an “undefined” URL parameter and the callback has no json body, so it’s an internal error on Auth0’s that’s somehow being exposed to users.
It happens on about 1/4 requests I make. I’m not sure what to do, besides do an automated retry, which actually usually works.
Authlib pulls request_uri and sends it to the authorize token endpoint. If there’s no request_uri in the session, it doesn’t add it to the body.
Auth0, on the other hand, seems to silently require a redirect_uri not just in the original request, but in the authorization thereof. If it’s not in the session data, it doesn’t get send in the post. If it doesn’t get send in the post, auth0 has an internal server error and erroneously tells the API consumer that it’s “undefined.”
So I guess we know what language their app server is written in.
