Web Server behind Gateway + Authorization Flow

mossywell · July 9, 2020, 5:55pm

Hi, I have an Azure Web App behind an Azure Application Gateway. The Application Gateway redirects traffic to the back end web server:
Browser → Nice URL → App Gateway → Real Web App URL
I am using Auth0 Authorization Code flow.
The first part of the login works fine - I log in and the Auth0 confirm successful login. However, the browser then errors:

OpenIdConnectProtocolException: Message contains error: ‘unauthorized_client’, error_description: ‘The redirect URI is wrong. You sent https://my-web-app.azurewebsites.net:443, and we expected https://web.acme.com:443’, error_uri: ‘error_uri is null’.

The Auth0 logs shows “type”: “feacft”

I know what the problem is but I do not know the fix.

The problem is that Auth0 sends an authorization code back to the app. The app then contacts Auth0 directly (as per the oAuth flow spec) to exchange the authorization code for an access token. Because it is a direct conversation, the app sends what it thinks is the correct redirect URL to Auth0 which rejects it because it doesn’t match the original authorization code.

We could probably hard code the redirect URI into the token request, but that seems to me to be clunky as we don’t really want the web server to know or care how it is addressed to the outside world.

Also, this presumably is a generic problem that any web farm has with a gateway in front of the farm?

manjukas · August 24, 2020, 12:07am

Hey dude… I had the same problem. I tracked it down to a few lines in getVerifiedTokens method of RequestProcessor.java in the Auth0 library:

            // Code/Hybrid flow
            String redirectUri = request.getRequestURL().toString();
            codeExchangeTokens = exchangeCodeForTokens(authorizationCode, redirectUri);

The problem is if you are using a proxy, the getRequestURL method returns what the proxy is forwarding to. In my case it was the IP address, which doesn’t match the original request.

So my hack to get around this was instead of passing the original HttpServletRequest to controller.handle (controller is the AuthenticationController), I create a wrapper object based on the HttpServletRequestWrapper, and that returns whatever URL I want (ie with the correct domain name).

Hope that helps!

konrad.sopala · August 24, 2020, 7:40am

Thanks for sharing it with the rest of community!

system · September 8, 2020, 7:41am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

thomas.osborn · November 30, 2020, 8:35pm

Please make sure that if you use the suggested fix in this thread, the redirect_uri param matches for both the request to /authorize and /token. To do otherwise is a violation of the oauth2 specification

konrad.sopala · December 1, 2020, 12:59pm

Thanks for sharing that Thomas!

Topic		Replies	Views
SAML auth flow and how to use the Code parameter Help	3	2868	September 1, 2021
Auth0-java-mvc-common behind reverse proxy, HttpServletRequest.getUrl() gets the "wrong" scheme Help auth0 , login	0	1344	September 23, 2022
Redirecting Users to Different Web Applications After Universal Login Help oauth-2-0 , protocols	2	2907	August 25, 2023
How to receive Authorization Code? Help	6	6298	October 17, 2019
Http/https protocols issue Help	2	5272	July 25, 2019

Web Server behind Gateway + Authorization Flow

Related Topics