How to fix 502

Hello Andrés Suarez,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I will try to clarify your doubts and propose you some solutions.

Will suggest you to check some points as below.

What is the public URL in production (e.g. https://app.example.com) and what is the upstream Node/Next server address and port? What exact redirect URI is configured in Entra ID and does it match what Auth.js expects in production?​ Are both localhost and production URIs configured as redirect URIs in the app registration? Do nginx error logs show a more specific reason (e.g. “upstream prematurely closed connection”, “upstream sent too big header”, “connect() failed”)?​ Does the 502 happen only on the callback URL or also when hitting other routes via nginx?

Till then will suggest you some workarounds to try.

1. Confirm app registration & redirect URI

• Validate that the redirect URI in Entra ID exactly matches your production callback, including scheme, host, path, and any trailing slash (e.g. https://yourdomain.com/api/auth/callback/entra-id).​
• Ensure both your localhost URI and the production URI are configured as redirect URIs for the same app registration, as required by the Microsoft identity platform.​​

2. Check nginx reverse‑proxy configuration

Align nginx behavior with standard reverse‑proxy guidance (same principles as in Microsoft’s 502 troubleshooting for gateways).​

• The proxy_pass target should point to the actual upstream where your Auth.js app listens, e.g.: proxy_pass http://127.0.0.1:3000; Make sure the upstream app is listening and reachable on that address/port (test with curl http://127.0.0.1:3000 from the nginx host).​
• Set required headers so Auth.js sees the correct original URL, especially when TLS is terminated at nginx: proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;​

If headers or upstream are misconfigured, nginx returns a 502 because it cannot successfully complete the request to your Node app.​

3. Look for “upstream sent too big header” or timeout issues:

OIDC callbacks can include relatively large cookies and tokens. In some cases, nginx errors like “upstream sent too big header” cause 502 on the callback.​

• Check nginx error logs specifically for this kind of message; if present, increase header buffer sizes: proxy_buffer_size proxy_buffers as recommended in nginx docs (the pattern is identical to what is seen for Azure AD / OIDC callbacks).​

Microsoft‑side, this is just a normal OIDC response; the failure is at the proxy layer.

4. Confirm app URL / callback consistency in Auth.js

Auth.js (like other OIDC libraries) needs to know its base URL:

Ensure your production env sets NEXTAUTH_URL (or equivalent) to https://yourdomain.com so it builds callback URLs that match what is configured in Entra ID.​

If Auth.js thinks it is still running on http://localhost:3000, it may generate wrong redirect or callback URLs, even though nginx and Entra ID are configured correctly.

Although this is not Microsoft‑auth specific, it must align with the Microsoft identity platform requirements for redirect URIs.​

5. Use Microsoft 502 troubleshooting guidance conceptually

Microsoft’s official 502 troubleshooting for gateways explains that 502 typically means the gateway/proxy cannot establish or maintain a healthy connection to the backend app (network, DNS, TLS, or protocol mismatch).​

Please do refer below docs for better understanding:

https://xtls-v4.hkg1.meaqua.org/en-us/azure/application-gateway/application-gateway-troubleshooting-502

https://xtls-v4.hkg1.meaqua.org/en-us/azure/app-service/troubleshoot-http-502-http-503

​Hope this helps!

If you need more info, feel free to ask in the comments. Happy to help!

Regards,

Monalisha