I’m having an issue with redirection behavior based on my Auth0 application settings.
In my Auth0 app configuration, I have two entries in the Allowed Web Origins: one for my production environment and another for localhost (for development).
However, when I open the app in localhost, it automatically redirects me to the production domain.
If I change the order of the Allowed Web Origins (putting localhost first), then opening the app in production redirects me to localhost instead.
It’s as if the app is always redirecting to the first origin in the list, regardless of which domain I’m actually accessing.
Is this expected behavior? Shouldn’t the redirect URI depend on the actual environment the app is running in?
Reading through your use-case, I believe that the issue is likely related to the redirect_uri parameter that needs to be set dynamically, based on the environment that you are running at any given time. You can read more on this from our documentation on how to Redirect Users.
The redirect_uri sent in a /authorize request needs to point towards where you want your users to be redirected after a successful authentication - you can view the following Authorization URL example for the location of the request and it’s parameters.
Additionally, depending on the SDK that you’re using, redirect_uri: window.location.origin is used to dynamically set the redirect so that, if you are running on localhost, window.location.origin should point to your localhost address.