Hi, I have an Azure Web App behind an Azure Application Gateway. The Application Gateway redirects traffic to the back end web server:
Browser --> Nice URL --> App Gateway --> Real Web App URL
I am using Auth0 Authorization Code flow.
The first part of the login works fine - I log in and the Auth0 confirm successful login. However, the browser then errors:
OpenIdConnectProtocolException: Message contains error: ‘unauthorized_client’, error_description: ‘The redirect URI is wrong. You sent https://my-web-app.azurewebsites.net:443, and we expected https://web.acme.com:443’, error_uri: ‘error_uri is null’.
The Auth0 logs shows “type”: “feacft”
I know what the problem is but I do not know the fix.
The problem is that Auth0 sends an authorization code back to the app. The app then contacts Auth0 directly (as per the oAuth flow spec) to exchange the authorization code for an access token. Because it is a direct conversation, the app sends what it thinks is the correct redirect URL to Auth0 which rejects it because it doesn’t match the original authorization code.
We could probably hard code the redirect URI into the token request, but that seems to me to be clunky as we don’t really want the web server to know or care how it is addressed to the outside world.
Also, this presumably is a generic problem that any web farm has with a gateway in front of the farm?