I’m getting started with Auth0 and need my application to be served over https, not http.
This is a regular web application with the Authorization Code grant type.
I’m serving the Python Flask sample application (from Auth0’s github) via ngrok and everything works fine except that after logging in, Auth0 redirects using HTTP, not HTTPS.
Do you have “http” in the allowed callbacks, as well as https? If so, remove it and retest.
If you do not, then I suspect something is happening to redirect the https://… to http://… that is not related to Auth0. Auth0 won’t call the http version of the callback unless it is the allowed callbacks.
I’m not familiar with Python / Flask, but I believe the following is happening:
You have Flask setup to handle HTTP requests
Ngrok is terminating your HTTPS requests and forwarding them on as HTTP requests to Flask
Flask thinks the user is using HTTP and is therefore generating HTTP redirect URLs
I think you need to use the X-Forwarded-Proto header which I believe Ngrok now supports. Essentially this header allows the proxy (Ngrok in this case) to tell the back-end server which scheme was used for the request and therefore what scheme to use for any generated URLs.
It appears that in Flask you just need to use the ProxyFix middleware component in order to handle this header: