Fixing OIDC Invalid Redirect URI With ProxyAuth

Encountering an invalid_redirect_uri error when using ProxyAuth with forward_auth and OpenID Connect (OIDC) can be a frustrating experience. This article dives deep into the causes of this issue, providing a comprehensive guide on how to diagnose and resolve it. We'll explore common misconfigurations, examine detailed debugging steps, and offer practical solutions to get your authentication flow working smoothly. Let’s get started!

Understanding the Issue: OIDC and Invalid Redirect URIs

When dealing with OpenID Connect (OIDC) and authentication setups, the invalid_redirect_uri error is a common stumbling block. This error typically arises when the redirect URI sent in the authentication request doesn't precisely match one of the URIs registered with the OIDC client. This mismatch can occur due to various reasons, ranging from simple typos to complex misconfigurations in your proxy or authentication server setup. Let’s break down why this is crucial and what steps you can take to resolve it.

The Importance of Redirect URIs

Redirect URIs play a vital role in the OIDC flow. They serve as a security measure, ensuring that the authorization code or tokens are sent back to a trusted destination. When a user authenticates with an OIDC provider, the provider needs to know where to send the user back after authentication. This is where the redirect URI comes in. It’s a pre-registered URL that the OIDC provider uses to redirect the user along with the necessary authentication data.

If the redirect URI in the authentication request doesn't match the registered URI, the OIDC provider will reject the request, resulting in the infamous invalid_redirect_uri error. This is a security feature designed to prevent malicious actors from intercepting the authentication flow.

Common Causes of the Error

Several factors can contribute to this error. Here are some of the most common:

1. Typographical Errors: A simple typo in the redirect URI, either in the client configuration or the request, can lead to a mismatch.
2. Protocol Mismatch: Using http instead of https or vice versa can cause the URI to be considered different.
3. Trailing Slashes: The presence or absence of a trailing slash can also lead to a mismatch. For example, https://example.com/callback and https://example.com/callback/ are treated as distinct URIs.
4. Subdomain Issues: If your application uses subdomains, ensure that the redirect URI correctly reflects the subdomain being used.
5. Proxy Misconfiguration: When using reverse proxies, the original request's URI might be altered, leading to a mismatch.
6. Dynamic URIs: Some OIDC providers do not allow dynamic redirect URIs (i.e., URIs with wildcards or patterns).
7. Incorrect Client Configuration: The client's configuration in the OIDC provider might not be set up correctly, leading to an incorrect redirect URI.

By understanding these common causes, you can begin to methodically troubleshoot the issue in your setup. Now, let’s delve into how ProxyAuth and forward_auth come into play.

ProxyAuth and forward_auth: Setting the Stage

To effectively diagnose the invalid_redirect_uri error, it’s essential to grasp how ProxyAuth and forward_auth work together. ProxyAuth, in conjunction with tools like Caddy, allows you to delegate authentication to an external service. The forward_auth directive is the linchpin in this setup, enabling a reverse proxy to forward authentication requests to a dedicated authentication server.

How forward_auth Works

When a client makes a request to a protected resource, the reverse proxy (e.g., Caddy) intercepts the request and forwards it to the authentication server specified in the forward_auth configuration. The authentication server then verifies the user's identity and, if authenticated, returns appropriate headers to the reverse proxy. These headers typically include information like the user's ID, groups, and email, allowing the proxy to grant access to the resource.

The forward_auth setup commonly involves the following steps:

1. Client Request: A client sends a request to a protected resource.
2. Proxy Interception: The reverse proxy intercepts the request.
3. Authentication Forwarding: The proxy forwards the request to the authentication server.
4. Authentication Process: The authentication server authenticates the user (e.g., via OIDC).
5. Header Response: The authentication server responds with headers containing user information.
6. Proxy Authorization: The proxy uses the headers to authorize the request and forward it to the backend service.
7. Resource Delivery: The backend service serves the requested resource to the client.

The Role of Voidauth

In many setups, Voidauth or similar tools like Authelia or Keycloak act as the authentication server. These servers handle the complexities of authentication protocols like OIDC, ensuring that users are properly authenticated before accessing protected resources.

When using Voidauth, you typically configure it with the necessary OIDC client details, including the registered redirect URIs. This is where discrepancies can easily creep in, leading to the invalid_redirect_uri error.

Caddy and ProxyAuth

Caddy, a powerful and easy-to-use web server, is often employed as the reverse proxy in these setups. Its Caddyfile configuration makes it straightforward to define how requests are handled, including setting up forward_auth. Here’s a typical Caddyfile snippet:

(proxyauth) {
	forward_auth voidauth:3000 {
		uri /api/authz/forward-auth
		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
	}
}

id.{$DOMAIN} {
	reverse_proxy voidauth:3000
}

{$DOMAIN}, *.{$DOMAIN} {

	@organizr host home.{$DOMAIN} organizr.{$DOMAIN}
	handle @organizr {
		import proxyauth
		reverse_proxy organizr:80
	}

}

In this configuration, Caddy forwards authentication requests to Voidauth running on port 3000. The import proxyauth directive applies the forward_auth settings to specific hosts, such as organizr.localhost. Understanding this setup is crucial for troubleshooting the invalid_redirect_uri error, as the misconfiguration often lies within these settings.

Diagnosing the invalid_redirect_uri Error

Diagnosing the invalid_redirect_uri error requires a systematic approach. Start by examining the error logs from both your reverse proxy (e.g., Caddy) and your authentication server (e.g., Voidauth). These logs often provide valuable clues about the source of the problem. Let's explore a step-by-step method to identify the root cause.

Step 1: Examine the Logs

Your first port of call should be the logs. Both Caddy and Voidauth (or your chosen OIDC provider) will log details about authentication attempts, including errors. These logs can pinpoint exactly where the mismatch is occurring. For instance, Caddy's logs might show the redirect URI it is sending, while Voidauth's logs will indicate the registered URIs and the URI received in the request.

Caddy Logs

Caddy’s logs, especially when set to debug level, provide detailed information about request handling. Look for log entries related to the forward_auth process. The logs will show the upstream roundtrip, including the headers and URIs involved in the authentication request.

caddy-1     | 2025/11/25 19:41:17.180   DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "voidauth:3000", "total_upstreams": 1}
caddy-1     | 2025/11/25 19:41:17.181   DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "voidauth:3000", "duration": 0.001442837, "request": {"remote_ip": "172.20.0.1", "remote_port": "54232", "client_ip": "172.20.0.1", "proto": "HTTP/2.0", "method": "GET", "host": "organizr.localhost", "uri": "/api/authz/forward-auth", ...

In this example, focus on the request section, particularly the uri field, to see the exact URI being sent to the authentication server. Also, check the headers section for any modifications or additions made by Caddy.

Voidauth Logs

Voidauth's logs are crucial for identifying whether the redirect URI received matches the registered ones. The logs will typically display an InvalidRedirectUri error along with details about the mismatch.

voidauth-1  | InvalidRedirectUri: invalid_redirect_uri
voidauth-1  |     at checkRedirectUri (file:///app/node_modules/oidc-provider/lib/actions/authorization/check_redirect_uri.js:32:13)
voidauth-1  |     ...
voidauth-1  |   error: 'invalid_redirect_uri',
voidauth-1  |   status: 400,
voidauth-1  |   statusCode: 400,
voidauth-1  |   expose: true,
voidauth-1  |   error_description: "redirect_uri did not match any of the client's registered redirect_uris"

This log excerpt clearly indicates that the redirect_uri in the request did not match any of the client’s registered URIs. The error_description provides a straightforward explanation of the issue.

Step 2: Verify the Registered Redirect URIs

Once you’ve identified the invalid_redirect_uri error in the logs, the next step is to verify the redirect URIs registered with your OIDC client. This involves checking the configuration settings in your authentication server (e.g., Voidauth, Authelia, or Keycloak).

1. Access Client Configuration: Log into your authentication server’s admin interface and navigate to the client configuration section. This is where you’ll find the settings for your OIDC clients, including the registered redirect URIs.
2. List Registered URIs: Review the list of registered redirect URIs. Ensure that each URI is correctly entered, paying close attention to typos, protocol (http vs. https), trailing slashes, and subdomain variations.
3. Compare with Request URI: Compare the registered URIs with the redirect URI being sent in the authentication request (as seen in Caddy’s logs). Look for any discrepancies.

Step 3: Check Caddy Configuration

Caddy’s configuration plays a significant role in how requests are forwarded and processed. Ensure that your Caddyfile is correctly configured to handle authentication requests and that no modifications are inadvertently altering the redirect URI.

1. Review forward_auth Directive: Examine the forward_auth directive in your Caddyfile. Make sure the uri parameter is correctly set to the authentication endpoint on your authentication server.
2. Inspect Header Modifications: Check for any header modifications or rewrites that might affect the redirect URI. Caddy's header manipulation directives can sometimes alter the URI, leading to a mismatch.
3. Verify Host Handling: Ensure that Caddy is correctly handling hostnames and subdomains. Misconfiguration in this area can result in the wrong URI being sent to the authentication server.

Step 4: Test with Different Browsers or Incognito Mode

Sometimes, browser caching or extensions can interfere with the authentication flow. Testing with a different browser or in incognito mode can help rule out these factors.

1. Incognito Mode: Open your browser in incognito or private browsing mode. This ensures that no cached data or extensions are interfering with the request.
2. Different Browser: Try using a different browser altogether. This can help identify if the issue is specific to a particular browser’s settings or extensions.

Step 5: Simplify the Setup

If the error persists, try simplifying your setup to isolate the issue. This might involve temporarily disabling certain features or components to see if the problem goes away.

1. Bypass ProxyAuth: Temporarily bypass ProxyAuth by directly accessing the backend service without authentication. If this works, the issue likely lies within the authentication setup.
2. Direct Authentication Server Access: Try accessing the authentication server directly to verify its functionality. This can help determine if the server itself is the source of the problem.

By following these diagnostic steps, you can systematically identify the cause of the invalid_redirect_uri error and move towards implementing a solution. Now, let’s discuss some common solutions.

Solutions to the invalid_redirect_uri Error

Once you've diagnosed the root cause of the invalid_redirect_uri error, implementing a solution becomes more straightforward. Here are several common fixes, addressing the typical misconfigurations and issues that lead to this error.

1. Correcting Redirect URI Mismatches

The most common solution is ensuring that the redirect URI in the authentication request precisely matches one of the registered URIs. This involves a detailed comparison of the URIs and correcting any discrepancies.

1. Double-Check Registered URIs: Access your authentication server’s client configuration and carefully review the registered redirect URIs. Look for typos, protocol mismatches (http vs. https), trailing slashes, and subdomain issues.
2. Verify Request URI: Examine the authentication request being sent by your application or reverse proxy. Caddy’s logs can provide this information. Ensure the URI in the request matches one of the registered URIs exactly.
3. Normalize URIs: Ensure consistency in how URIs are formatted. For example, if your registered URI includes a trailing slash, the request URI should also include one. Similarly, ensure that the protocol (http or https) matches.

2. Adjusting Caddy Configuration

Caddy’s configuration can sometimes inadvertently alter the redirect URI. Reviewing and adjusting the Caddyfile can resolve these issues.

1. Check forward_auth URI: Verify that the uri parameter in the forward_auth directive is correctly set to the authentication endpoint on your authentication server. An incorrect URI here will lead to authentication failures.
2. Inspect Header Modifications: Look for any header modifications or rewrites that might affect the redirect URI. Caddy’s header manipulation directives can sometimes alter the URI, causing a mismatch. Ensure that no rules are inadvertently changing the URI.
3. Verify Host Handling: Ensure Caddy is correctly handling hostnames and subdomains. Misconfiguration in this area can result in the wrong URI being sent to the authentication server. Check your Caddyfile for any host-specific configurations that might be altering the URI.

3. Handling Proxy-Related Issues

When using reverse proxies, the original request’s URI might be altered, leading to a mismatch. Proper proxy configuration is crucial to avoid this.

1. X-Forwarded-Proto Header: Ensure your reverse proxy is setting the X-Forwarded-Proto header correctly. This header tells the backend server whether the original request was made over HTTP or HTTPS. If this header is missing or incorrect, the authentication server might generate an incorrect redirect URI.
2. Use Absolute Redirect URIs: Configure your application and authentication server to use absolute redirect URIs. This ensures that the full URI, including the protocol and hostname, is used, reducing the chances of mismatches.
3. Proxy Path Configuration: If your application is running behind a proxy with a specific path (e.g., /app), ensure that the redirect URI includes this path. For example, if your application is accessible at https://example.com/app, the redirect URI should be https://example.com/app/callback.

4. OIDC Provider Settings

The settings in your OIDC provider (e.g., Voidauth, Authelia, Keycloak) must be correctly configured to match your application’s requirements.

1. Client Redirect URIs: Double-check the registered redirect URIs for your OIDC client. Ensure they match the URIs your application will use during authentication. Pay attention to case sensitivity, trailing slashes, and protocol consistency.
2. Dynamic Redirect URIs: Some OIDC providers do not allow dynamic redirect URIs (i.e., URIs with wildcards or patterns). If your provider has this limitation, you must register each redirect URI explicitly.
3. Client Authentication Method: Ensure the client authentication method is correctly configured. Some providers might require specific authentication methods (e.g., client secret post, client secret basic) for certain redirect URIs.

5. Troubleshooting Localhost Issues

When testing locally, issues can arise due to the use of localhost or self-signed certificates. Here are some tips for troubleshooting:

1. Use a Proper Domain: For production environments, always use a proper domain name. localhost is suitable for testing but can lead to issues in more complex setups.
2. Self-Signed Certificates: If using self-signed certificates, ensure they are properly installed and trusted by your browser and applications. Browsers often treat self-signed certificates differently, leading to redirect URI issues.
3. Loopback IP Addresses: Try using loopback IP addresses (e.g., 127.0.0.1) instead of localhost. Sometimes, this can resolve issues related to hostname resolution.

6. Clearing Cache and Cookies

Browser caching and cookies can sometimes interfere with the authentication flow. Clearing them can help resolve invalid_redirect_uri errors.

1. Clear Browser Cache: Clear your browser’s cache and cookies. This ensures that you are starting with a clean slate and that no outdated information is affecting the authentication process.
2. Test in Incognito Mode: Use your browser’s incognito or private browsing mode to bypass cached data and extensions. This can help determine if the issue is related to your browser’s configuration.

By implementing these solutions, you can effectively address the invalid_redirect_uri error and ensure a smooth authentication flow in your applications. Remember to test each solution thoroughly to verify its effectiveness.

Conclusion

The invalid_redirect_uri error can be a significant roadblock in setting up secure authentication flows with ProxyAuth and OIDC. However, by understanding the underlying causes and following a systematic diagnostic approach, you can effectively troubleshoot and resolve this issue. Remember to verify your registered redirect URIs, review your reverse proxy configuration, and ensure your OIDC provider settings are correctly aligned with your application's requirements.

By implementing the solutions outlined in this article, you can create a robust and secure authentication setup, providing a seamless experience for your users. Happy authenticating!

For more in-depth information on OIDC and related topics, consider visiting the official OpenID Foundation website. This resource provides extensive documentation, specifications, and best practices for implementing OIDC in your applications.