v4: appBaseUrl with additional url path after domain causes /auth/callback / redirect_uri mismatch #1942
Description
Checklist
- The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
This issue is currently encountered in v4 when you use an APP_BASE_URL that has an additional path, e.g.: APP_BASE_URL='http://localhost:3000/ai'
and attempt to use the default middleware /auth/callback route handler currently provided. In this case, you will likely encounter a Callback URL mismatch error.
The current code in question in that is causing this is here:
https://github.com/auth0/nextjs-auth0/blob/main/src/server/auth-client.ts#L264
I have validated that @frederikprijck 's fix here resolves the problem.
#1941
Reproduction
- Provide an
APP_BASE_URLlikeAPP_BASE_URL='http://localhost:3000/ai' - Set your Allowed Callback URLs to "http://localhost:3000/ai/auth/callback", and Allowed Logout URLs to "http://localhost:3000/ai"
- Use the default middleware setup as indicated currently in the README
- Attempt the login flow and note that
http://localhost:3000/auth/callbackis provided as theredirect_uriinstead ofhttp://localhost:3000/ai/auth/callbackleading to the Callback URL mismatch above.
It does not seem to matter whether the APP_BASE_URL is provided with or without the trailing slash, e.g. "/ai" or "/ai/", the same error occurs.
An aside, but unrelated issue to this issue was also encountered when using the useUser hook currently provided here on the client:
And seeing the /auth/profile also experience a similar issue and 404 (and not provide the /ai/auth/profile) in the request.
This issue is less urgent, b/c we can simply write our own hook to navigate around this, e.g.:
"use client";
import useSWR from "swr";
export function useUser() {
const { data, error, isLoading } = useSWR<unknown, Error, string>(
"/ai/auth/profile",
(...args) =>
fetch(...args).then((res) => {
if (!res.ok) {
throw new Error("Unauthorized");
}
return res.json();
})
);
// if we have the user loaded via the provider, return it
if (data) {
return {
user: data,
isLoading: false,
error: null,
};
}
if (error) {
return {
user: null,
isLoading: false,
error,
};
}
return {
user: data,
isLoading,
error,
};
}
Additional context
No response
nextjs-auth0 version
4.0.2
Next.js version
15.2.0
Node.js version
20