Web Server behind Gateway + Authorization Flow

Hi, I have an Azure Web App behind an Azure Application Gateway. The Application Gateway redirects traffic to the back end web server:
Browser --> Nice URL --> App Gateway --> Real Web App URL
I am using Auth0 Authorization Code flow.
The first part of the login works fine - I log in and the Auth0 confirm successful login. However, the browser then errors:

OpenIdConnectProtocolException: Message contains error: ‘unauthorized_client’, error_description: ‘The redirect URI is wrong. You sent https://my-web-app.azurewebsites.net:443, and we expected https://web.acme.com:443’, error_uri: ‘error_uri is null’.

The Auth0 logs shows “type”: “feacft”

I know what the problem is but I do not know the fix.

The problem is that Auth0 sends an authorization code back to the app. The app then contacts Auth0 directly (as per the oAuth flow spec) to exchange the authorization code for an access token. Because it is a direct conversation, the app sends what it thinks is the correct redirect URL to Auth0 which rejects it because it doesn’t match the original authorization code.

We could probably hard code the redirect URI into the token request, but that seems to me to be clunky as we don’t really want the web server to know or care how it is addressed to the outside world.

Also, this presumably is a generic problem that any web farm has with a gateway in front of the farm?

1 Like

Hey dude… I had the same problem. I tracked it down to a few lines in getVerifiedTokens method of RequestProcessor.java in the Auth0 library:

            // Code/Hybrid flow
            String redirectUri = request.getRequestURL().toString();
            codeExchangeTokens = exchangeCodeForTokens(authorizationCode, redirectUri);

The problem is if you are using a proxy, the getRequestURL method returns what the proxy is forwarding to. In my case it was the IP address, which doesn’t match the original request.

So my hack to get around this was instead of passing the original HttpServletRequest to controller.handle (controller is the AuthenticationController), I create a wrapper object based on the HttpServletRequestWrapper, and that returns whatever URL I want (ie with the correct domain name).

Hope that helps!

1 Like

Thanks for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.