Not logging in when using universal login behind a reverse proxy

Ready to post? :mag: First, try searching for your answer.
My site is behind a reverse proxy (deployed to one domain and used as a host from another domain using fastly config). My login flow is working fine locally and in staging (not using a reverse proxy), but on prod it “successfully” logs in on auth0’s side according to the logs and redirects back to my site, but doesn’t fully authenticate. I see the appSession cookie too, but it’s being sent to my login page that usually redirects to auth0 login (which then should redirect to a different page after a user logs in or is already logged in), but instead it’s just an infinite loop between my login page and auth0’s login page. If I refresh, then it resets and I get the auth0 login page again.

So my question is, is there anything that would inherently not work correctly with auth0 behind a reverse proxy? I’ve tried to narrow down the issue to either on my side or auth0’s side, but since I get sent back to login after refreshing, I feel like something with the sessions aren’t correct. That could still be something with how I’m setting the host header during the reverse proxy or maybe passing in an incorrect auth0 url, just looking to see if anyone else has experience with this setup.

Hello,
It sounds like you’re dealing with an issue related to Auth0 authentication behind a reverse proxy. Let’s explore some potential solutions and considerations:

Gateway Authentication Mode:
Auth0 can indeed work behind a reverse proxy. In fact, it’s recommended to configure Auth0 in gateway authentication mode when components need to be accessed via a reverse proxy.
In this mode, all components (including Auth0) should be behind the gateway. The gateway handles authentication requests and communicates with Auth0.
Ensure that your reverse proxy is correctly configured to pass requests to Auth0 and handle the necessary redirects.
Session Handling:
Since you mentioned an infinite loop between your login page and Auth0’s login page, it’s essential to verify how sessions are managed.
Check if the session cookies (such as appSession) are being handled correctly by both your application and Auth0.
Ensure that the session state is maintained consistently across requests.
Host Header and URL Configuration:
Verify that the host header set during the reverse proxy configuration matches the expected domain for Auth0.
Double-check the Auth0 configuration (e.g., allowed callback URLs, logout URLs) to ensure they align with the reverse proxy setup.
Confirm that the Auth0 URL (e.g., auth0_domain.auth0.com) is correctly passed through the reverse proxy.
Logging and Debugging:
Enable detailed logging on both your application and Auth0 to identify any issues during the authentication flow.
Look for error messages or unexpected behavior in the logs.
Use browser developer tools to inspect network requests during the login process.
Best Regards
nestorg780

@nestorg780reen Thanks for the response and possible solutions. I’ve gone through a lot of it and I think I narrowed it down to cookie configuration. The appSession cookie is being set on the main domain specifically, let’s call is somesite.com. But since my proxied site is on a subdomain, it’s not getting the cookie. I could configure auth0 to set the cookie on all subdomains (.somesite.com), but then that would mean it would conflict with my staging environment at staging.somesite.com, right? Is there a way to accomplish this and keep my prod and staging cookies separate?