Auth0 Home Blog Docs

Regular app redirect to HTTPS?


#1

I’m getting started with Auth0 and need my application to be served over https, not http.

This is a regular web application with the Authorization Code grant type.

I’m serving the Python Flask sample application (from Auth0’s github) via ngrok and everything works fine except that after logging in, Auth0 redirects using HTTP, not HTTPS.

The url I’m generating is:

https://bridgeft.auth0.com/authorize?response_type=code&client_id=...&redirect_uri=https%3A%2F%2F3e28bbe9.ngrok.io%2Fcallback&scope=openid+profile&state=...&audience=https%3A%2F%2Fbridgeft.auth0.com%2Fuserinfo&prompt=none

However in the auth flow I always land at:
http://3e28bbe9.ngrok.io/dashboard

Instead of:
https://3e28bbe9.ngrok.io/dashboard

The allowed callback urls and web origins specify https.

Thanks in advance!
Best,
Alan


#2

A couple of thoughts:

Do you have “http” in the allowed callbacks, as well as https? If so, remove it and retest.

If you do not, then I suspect something is happening to redirect the https://… to http://… that is not related to Auth0. Auth0 won’t call the http version of the callback unless it is the allowed callbacks.

John


#3

I’m not familiar with Python / Flask, but I believe the following is happening:

  • You have Flask setup to handle HTTP requests
  • Ngrok is terminating your HTTPS requests and forwarding them on as HTTP requests to Flask
  • Flask thinks the user is using HTTP and is therefore generating HTTP redirect URLs

I think you need to use the X-Forwarded-Proto header which I believe Ngrok now supports. Essentially this header allows the proxy (Ngrok in this case) to tell the back-end server which scheme was used for the request and therefore what scheme to use for any generated URLs.

It appears that in Flask you just need to use the ProxyFix middleware component in order to handle this header:

Failing this, you could try setting the PREFERRED_URL_SCHEME.

Hope this helps.


#4

Thank you so much! I believe you’re correct on all points.

Much appreciated,
Alan