Bug: Redirect URI mismatch when attempting to complete login flow

[wyze]

Bug: Redirect URI mismatch when attempting to complete login flow

Summary

The incoming url in the below snippet may not match the correct protocol when using a reverse proxy (ALB). This in turn causes an issue when verifying the token as the URL created doesn't match what was supplied to redirect_uri.

auth0-hono/src/middleware/callback.ts

Line 33 in 2a2db63

>(createRouteUrl(c.req.url, baseURL), c);

Expected Behavior

The login interaction is able to complete and the user is logged in.

Actual Behavior

An error is thrown because the redirect_uri doesn't match what was supplied when initiating the login flow.

Impact

• Users are unable to login.

Suggested Fix

Either:

1. Use just the pathname as the first argument, c.req.path vs c.req.url
   • Writing this ticket, dawned on me, there could be search params, so we would want path + search params
2. Ensure the c.req.url protocol matches the baseUrl protocol

[butameron]

Same here. I use Codespaces port forwarding.

'The redirect URI is wrong. You sent http://localhost:5173, and we expected https://xxxxx-5173.app.github.dev',

I found a workaround (which Claude Code suggests).

Add a custom route with customRoutes: ['callback'], settings, add a custom callback route, and directly call client.completeInteractiveLogin with the corrected URL (replacing the protocol and hostname with baseUrl).

I don't know whether this is secure or not.

This may relate to the problem that Hono's c.req.url does not consider a reverse proxy.
https://hono.pages.dev/examples/behind-reverse-proxy