Auth0 Home Blog Docs

WebAuth cannot login with Username-Password-Authentication; Identity works fine

Hi! We are having some trouble getting Username-Password-Authentication connections to work for our site. After logging into the Lock screen (e.g., https://company.auth0.com/login), Auth0 successfully redirects to our site callback (e.g., https://company.com/callback) but the hash has an error ‘#error=unauthorized_client&error_description=Callback%20URL%20mismatch’ and the error description from the logs is '“Callback URL mismatch. https://company.auth0.com/login is not in the list of allowed callback URLs”. I am not sure why Auth0 is thinking ‘https://company.auth0.com/login’ is the callback (again Auth0 successfully redirected back to our site’s callback so we clearly set the redirect_uri correctly).

This only happens for users that we create in the Auth0 admin console. Logging in with an Identity provider such as Google works fine.

Any help debugging this would be greatly appreciated.

For these situations the most efficient way for troubleshooting would be to have access to an HTTP trace of all the requests that lead to the error; there’s reference documentation on how to capture an HAR at (https://auth0.com/docs/troubleshoot/har).

However, you would need to be mindful of redacting any sensitive data (passwords, session cookies) from the trace before sharing a public link to it.

Hi, thanks for the response. Here is the HAR file. easury.auth0.com.har (1.0 MB)

After I type in the username and password and click ‘Login’, a request is sent to https://easury.auth0.com/usernamepassword/login and the payload has redirect_uri: "https://easury.auth0.com/login".

I am not sure where Auth0 is getting that redirect uri. The initial call to https://easury.auth0.com/authorize from our application has the correct redirect uri in the query parameters redirect_uri: https://beta.easury.com/callback.

From a review of the HAR file and the tenant configuration the issue is that you have an incorrectly configured custom login page.

In particular, where one would expect to have Lock in the custom hosted login page configured like:

      auth: {
        redirectUrl: config.callbackURL,
        responseType: (config.internalOptions || {}).response_type ||
          (config.callbackOnLocationHash ? 'token' : 'code'),
        params: config.internalOptions
      },

your current configuration has:

      auth: {
        redirect: false,
        responseType: (config.internalOptions || {}).response_type ||
          (config.callbackOnLocationHash ? 'token' : 'code'),
        params: config.internalOptions
      },

Notice that the incorrect configuration has redirect: false, when it should be redirectUrl: config.callbackURL,.

Thanks! I didn’t think to look in the custom login. I was just changing the logo and color so I just reverted back to the Auth0 default and used the settings page to change that (which I somehow missed before). Thanks for helping to debug this. Much appreciated.