unauthorized_client error complains about identical redirect URIs

I’m attempting to add single-sign on to a site with the Lock javascript client, using the following code:

var lock = new Auth0Lock('<clientid>', '<account>.auth0.com', {
    auth: {
        redirectUrl: "https://<address>/<path>/sso",
        responseType: 'code',
        params: {
            scope: 'openid email'

I’ve added https://<address>/<path>/sso to the list of allowed callback URLs for the client. Attempting to authenticate passes me through my SSO provider but when it returns to the application I get:

unauthorized_client: The redirect URI is wrong. You send https://<address>, 
and we expected https://<address>

Both URIs are exactly the same, but neither match the redirectURL value or any of the allowed callbacks. I’ve also tried adding https://<address> to the allowed callback lists but the same error is returned.

I could not reproduce the issue when trying with my own account configuration. Given this may be specific to your account you should provide some additional information, ideally, you should try to reproduce with a test client client application and provide it’s exact configuration including concrete URL’s; you can use localhost based URL’s so that you do not disclose any host information.

Alternatively, you can share the client identifier for which the error is occurring; per OAuth2 the client identifier is not confidential information, but if you’re worried about disclosing it you can always create a client application specific for the issue and then delete it after the root cause of the issue has been found.

The problem was two-fold: the actual issue was it was expecting a http redirect URI but was receiving a https one instead, but this was then masked in the front-end by a rewrite rule swapping http to https.

Thanks for the help, it turned out to be a dodgy nginx configuration.

1 Like

No problem, thanks for sharing the underlying issue.