I’m using Auth0 Classic with Auth0 for PHP library. My site is on Heroku. When I log in from a secure URL (https), I’m taken to a secure Auth0-hosted login page
but after logging in, I’m redirected to my site at a non-secure URL (http) instead of https even though in my Allowed Callback URL specifically specifies an https URL. The applies when I log out. It seems that Auth0 always redirects you to non-secure URLs.
How can I tell Auth0 to always redirect to a secure https URL?
The callback URL you are directing to will be configured in your application’s code. With the PHP SDK it looks like it lives in you .env file. Have you changed that to the https domain you want to redirect to?
Thanks for the quick response. It turns out that after Auth0 logs me and redirects me to a secure URL, I had additional logic that was redirecting me to another URL without a trailing slash. Since Heroku terminates SSL / TLS at their load balancer and Apache, by default, redirects URLs without a trailing slash to the same ones with a trailing slash, this was causing a redirect from https to http. To solve this, I added trailing slashes to all URLs and added a .htaccess file with redirect rules to force https on all URLs.