Invalid_request: Invalid redirect_uri. Expected type 'string' but found type undefined

We’re using Classic Universal Login with passwordless only and magic link emails.

Clicking on the email link logins successfully on Auth0 and our callback is called with two params - ‘state’ and ‘code’.

Our callback is using Python + Flask

However, when during the callback processing it fails with:

authlib.common.errors.AuthlibBaseError: invalid_request: Invalid redirect_uri. Expected type ‘string’ but found type undefined

Auth0 Logs is showing a “Failed Exchange” type error.

I’m sure we are doing something obviously wrong - its just not that obvious to me!

Has anyone else experienced this error?

1 Like

Hey @proj_l

It seems that the part failing is the exchange of a code for a the authentication results (access_token and others). When you exchange the code for a token you need to provide the client authentication data (client_id and client_secret), the code you received, the grant type (authorization_code) and the redirect_uri you originally provided (see for more information on what goes on under the hood).

Are you using our quickstart ( as guidance? If so, the SDK should take care of providing the expected parameters when doing the code exchange (
If not, follow your code to make sure that the redirect_uri originally provided in the /authorize request is also included in the /oauth/token request from the callback handler.

I’m also noticing this. It seems to be intermittent, but if there is a problem, I’m inclined to say it’s on auth0’s side. There is no way to pass an “undefined” URL parameter and the callback has no json body, so it’s an internal error on Auth0’s that’s somehow being exposed to users.

It happens on about 1/4 requests I make. I’m not sure what to do, besides do an automated retry, which actually usually works.

1 Like

Ah, I’ve figured it out.

Authlib pulls request_uri and sends it to the authorize token endpoint. If there’s no request_uri in the session, it doesn’t add it to the body.

Auth0, on the other hand, seems to silently require a redirect_uri not just in the original request, but in the authorization thereof. If it’s not in the session data, it doesn’t get send in the post. If it doesn’t get send in the post, auth0 has an internal server error and erroneously tells the API consumer that it’s “undefined.”

So I guess we know what language their app server is written in. :wink:

so this is still problematic and only succeeds 20% of the time.

“authlib.common.errors.AuthlibBaseError: invalid_request: Invalid redirect_uri. Expected type ‘string’ but found type undefined.”

Is there a better solution from Auth0 here?

1 Like

@nicolas_sabena It seems this issue is still occurring. Any chance of getting this fixed?

yup…but only cause they don’t care…

any updates on this - just started seeing it