Issue with Callback URL Mismatch

german1 · November 9, 2023, 2:12pm

Hi Support Team,

I hope this message finds you well. I am currently facing an issue with Auth0 while using wildcards in the Callback URL configuration.

In the Auth0 dashboard, I have configured the Callback URL as http://*.localhost:3000/api/auth/callback. The login process works fine on the Auth0 login site when initiated from http://test.localhost:3000. However, after the login, the callback URL seems to be incorrect, resulting in the following error:

CallbackHandlerError: Callback handler failed. CAUSE: Missing state cookie from login request (check login URL, callback URL, and cookie config).

Upon further investigation, it appears that the login cookie is created under the domain http://test.localhost:3000, while the callback URL is set as http://localhost:3000/api/auth/callback?code=UupJEMc9…

Can you guide me on how to solve this?

Thank you for your assistance.

Best regards,

marcelina.barycka · November 13, 2023, 9:48am

Hey tehre @german1 ! Welcome to Auth0!

It looks like the way you use wildcard will not work.

Please take a look at this topic (wildcards with localhost:port) - Wildcards for subdomain callbacks not working

General guidance for wildcards - Subdomain URL Placeholders

Thanks!

german1 · November 13, 2023, 2:00pm

I tested using another path in the url like http://test.foo.localhost:3000 and still happens.

We deployed the project in amplify and we keep getting the same error, it doesn’t only happen in local environment.

We deployed and configured under a url like this https://*.foo.example.com
If we execute the login from https://test.foo.example.com the callback url is set as https://foo.example.com.

marcelina.barycka · November 14, 2023, 9:35am

Hey @german1 , thank you for following up.

I double checked locally by initializing auth0 client to callback to a single level subdomain callback URL like https://subdomain.domain.com and allowing https://*.domain.com on my Auth0 tenant and it works well.

However, unfortunately, it will not work with multilevel subdomains.

german1 · November 14, 2023, 2:16pm

I tested with only one subdomain and the final callback url throw a page error.
Could you share with us the repo and the tenant config that you use?

marcelina.barycka · November 14, 2023, 3:43pm

Hi @german1 ,

I don’t think the issue is with the callback mismatch. A few members had a similar issue ad the reason were outdated packages. Here’s a topic for reference.

I am using the repo associated with this doc for a Single Page App.
For the URL you can use any specific single subdomain URL.

To test it, it’s enough to send an /authorize request (an example below) with a redirect_uri param set to any specific single subdomain url (in the request neither in your app code do not use any wildcard; wildcard only in Auth0 tenant’s settings for a specific app like https://*.google.com/domains/) to initiate the login flow and once authenticated, to be redirected to your page.

https://{your_auth0_domain}.com/authorize?client_id={xxx}&scope=openid+profile+email&redirect_uri={url}&response_type=code

Hope this helps!

system · November 28, 2023, 3:43pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.