Where is "callback"?

[glittle]

I'm a bit confused...

Where in the code is the Callback URL?

I don't see any code that answers the POST to http://localhost:3000/callback

[MarufHossain]

The guide can be slightly confusing for beginners, as it was for me. You have to set the callback URL (http://localhost:3000/callback) in your Auth0 account's settings. Top right click on your profile, then settings. On the left hand vertical menu column, select Application, then your app. Under Application URIs, you will find Allowed Callback URLs.

I think the callback URI is set in OWIN middleware and added to the MVC pipeline. In the Startup.cs, app.UseOpenIdConnectAuthentication takes in OpenIdConnectAuthenticationOptions object which has a property RedirectUri set to the callback url.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

[frederikprijck]

Hi,

Sorry for the radio silence. As mentioned by @MarufHossain, you need to set the callback on the Auth0 accounts settings.

Next you can use OpenIdConnectAuthenticationOptions.RedirectUri or OpenIdConnectAuthenticationOptions.CallbackPath, see: https://docs.microsoft.com/en-us/dotnet/api/microsoft.owin.security.openidconnect.openidconnectauthenticationoptions.callbackpath?view=owin-4.1#Microsoft_Owin_Security_OpenIdConnect_OpenIdConnectAuthenticationOptions_CallbackPath

CallbackPath: An optional constrained path on which to process the authentication callback. If not provided and RedirectUri is available, this value will be generated from RedirectUri.

So in the sample applications, the callback is configured by setting the RedirectUri:

• https://github.com/auth0-samples/auth0-aspnet-owin-mvc-samples/blob/master/Quickstart/01-Login/MvcApplication/MvcApplication/Startup.cs#L50
• https://github.com/auth0-samples/auth0-aspnet-owin-mvc-samples/blob/master/Quickstart/01-Login/MvcApplication/MvcApplication/Web.config#L15

[VED-StuartMorris]

Whilst this explains where to set the callback there is still no information on why?

Do you need an endpoint to be called?

The callback looks like it POSTS to that endpoint, presumably to complete authentication. But does that endpoint need to exist?

If we have a callback to our root domain or to rootdomain/callback it fails with a 404 as its not an endpoint and you cannot post to the root of our application.

[frederikprijck]

The Redirect URL is part of the OAuth specification. There is more information on the reasoning behind that outside of this SDK:

• https://www.oauth.com/oauth2-servers/redirect-uris/
• https://tools.ietf.org/html/rfc6749#section-3.1.2

In case you use the Implicit flow with form post, Auth0 will do a post call to the callback URL instead of redirecting the user back to that URL.

CallBack Path is what will be used by the library (Microsoft.Owin.Security.OpenIdConnect) (so this is not part of the specification and just something that library, which we have no control over, introduced) to configure your application to register the correct endpoint.

So no, you should not need to configure any explicit endpoint to handle the callback. In general, the values should be this:

• OpenIdConnectAuthenticationOptions.RedirectUri: https://my_domain/redirect_to_here, this will be sent to Auth0 and, after succesful authentication, Auth0 will redirect back to this URL (or use POST as mentioned above).
• OpenIdConnectAuthenticationOptions.CallbackPath: redirect_to_here: This is not sent to Auth0 and is internal to the Microsoft.Owin.Security.OpenIdConnect library.

The source code around this can be found here: https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs#L204, in case you want to do some digging in the internals of this to try and get a better understanding.

In the above piece of code, you can see they are only handling requests that match the CallbackPath, next they are both handling GET and POST requests.

Hopefully this helps a bit, If you still need more information around Microsoft.Owin.Security.OpenIdConnect, I suggest to read the Microsoft documentation or ask in any of their support channels, they will probably do a better job in explaining things.

[willcro]

I know that this is an old issue, but I figured I would post my solution for this just in case anyone stumbles across this issue like I did. I used this code as a starting point for connecting to a different SSO provider that only supported the auth code flow. I was getting a 404 on the callback which led to a lot of frustration. The fix that I used was setting OpenIdConnectAuthenticationOptions.RedeemCode to true. This option enables exchanging the auth code for a token and id_token. Without it, the callback endpoint just does nothing. I'm not sure why that defaults to false, but fixing that config helped me.

[frederikprijck]

Thanks for sharing those, that is a known issue with using the Code Flow with Katana. This explains the steps needed to use it pretty well: https://github.com/aspnet/AspNetKatana/issues/369

Do note that depending on the use-case, you don't need the Code flow and can stick to the Implicit Flow using Form Post (e.g. when u don't need an access tokent).