ChatGPT解决这个技术问题 Extra ChatGPT

Google OAuth 2 authorization - Error: redirect_uri_mismatch

On the website https://code.google.com/apis/console I have registered my application, set up generated Client ID: and Client Secret to my app and tried to log in with Google. Unfortunately, I got the error message:

Error: redirect_uri_mismatch
The redirect URI in the request: http://127.0.0.1:3000/auth/google_oauth2/callback did not match a registered redirect URI

scope=https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
response_type=code
redirect_uri=http://127.0.0.1:3000/auth/google_oauth2/callback
access_type=offline
approval_prompt=force
client_id=generated_id

What does mean this message, and how can I fix it? I use the gem omniauth-google-oauth2.

For anyone else having this problem, note that you can debug this issue by accessing a URL like https://accounts.google.com/o/oauth2/auth?client_id={client_id}&response_type=token&redirect_uri={redirect_uri}&scope={scope} in a browser, instead of running your entire app to test.
I have noticed, google automatically bind redirect_uri in double quotes in ( redirect_uri= "whatever") above url, and results this error. If I remove this double quotes, I am able to go through next screen. Now, how can we evade this double quotes, since it is automatically redirected by google itself.

S
ShadowUC

The redirect URI (where the response is returned to) has to be registered in the APIs console, and the error is indicating that you haven't done that, or haven't done it correctly.

Go to the console for your project and look under API Access. You should see your client ID & client secret there, along with a list of redirect URIs. If the URI you want isn't listed, click edit settings and add the URI to the list.

EDIT: (From a highly rated comment below) Note that updating the google api console and that change being present can take some time. Generally only a few minutes but sometimes it seems longer.


There is some kind of magic, because when I tried the same callback an hour ago, it didn't work, but now it's working. Anyway, thanks!
Ran into a similar problem, and wanted to note that updating the google api console and that change being present can take some time. Generally only a few minutes but sometimes it seems longer.
Let me complete @Bazyl's answer: in the message I received, they mentioned the URI "localhost:8080" (which of course, seems an internal google configuration). I changed the authorized URI for that one, "localhost:8080" , and the message didn't appear anymore... And the video got uploaded... The APIS documentation is VERY lame... Every time I have something working with google apis, I simply feel "lucky", but there's a lack of good documentation about it.... :(
Open a private/incognito window in your browser, and try again. Sometimes this fixes the caching issue.
google has no options for a redirect uri in the google console in the "Api & Auth > Credentials" donsn't matter if I create a new Client Id or generate a new key, there is simply no way to specify the redirect uri from the google console.
a
abdusco

In my case it was www and non-www URL. Actual site had www URL and the Authorized Redirect URIs in Google Developer Console had non-www URL. Hence, there was mismatch in redirect URI. I solved it by updating Authorized Redirect URIs in Google Developer Console to www URL.

Other common URI mismatch are:

Using http:// in Authorized Redirect URIs and https:// as actual URL, or vice-versa

Using trailing slash (http://example.com/) in Authorized Redirect URIs and not using trailing slash (http://example.com) as actual URL, or vice-versa

Here are the step-by-step screenshots of Google Developer Console so that it would be helpful for those who are getting it difficult to locate the developer console page to update redirect URIs.

Go to https://console.developers.google.com Select your Project

https://i.stack.imgur.com/RJfZi.png

Click on the menu icon

https://i.stack.imgur.com/xPR5j.png

Click on API Manager menu

https://i.stack.imgur.com/VQ9la.png

Click on Credentials menu. And under OAuth 2.0 Client IDs, you will find your client name. In my case, it is Web Client 1. Click on it and a popup will appear where you can edit Authorized Javascript Origin and Authorized redirect URIs.

https://i.stack.imgur.com/X6rRh.png

Note: The Authorized URI includes all localhost links by default, and any live version needs to include the full path, not just the domain, e.g. https://example.com/path/to/oauth/url

Here is a Google article on creating project and client ID.


I kept Authorized JavaScript origins empty and Authorized redirect URIs as 127.0.0.1/google_account/authentication and it worked from me.
For those struggling with this, if you created your app via some other google page (such as the Drive API page), you might not see these options. I had to delete and recreate the Client ID from WITHIN the API Manager console.
In order to see the JavaScript Origins and redirect URIs, I needed to set the Application Type to "Web application":
i didnt find this option. maybe the UI changed?
J
Jason Watkins

If you're using Google+ javascript button, then you have to use postmessage instead of the actual URI. It took me almost the whole day to figure this out since Google's docs do not clearly state it for some reason.


Since this question is the top hit when googling the error message, here are some additional pointers. As Mike says, use "postmessage" for your redirect URI. You need to specify this in 2 places (if you are using the web-app-server-flow). One is in the g-signin button on the javascript. The other is in the signet authorization client in your server code.
postmessage sounds nice, but it results in the useless Error: invalid_request origin parameter is required!
After spending few hours trying to solve this problem, your answer help me a lot! The Google documentation is not very clear. In server side, if you use the Google API Client library, you should use this code : $client->setRedirectUri('postmessage'); instead of $client->setRedirectUri('http://your.url...');
Wow.... @Guicara solution worked for me after hours of beating my head against a wall.
I was struggling to solve this issue with django-rest-social-auth and angular frontend. Its working when I passed 'postmessage' as redirect_uri. Thanks a lot !!!
J
Jeff Ward

In any flow where you retrieved an authorization code on the client side, such as the GoogleAuth.grantOfflineAccess() API, and now you want to pass the code to your server, redeem it, and store the access and refresh tokens, then you have to use the literal string postmessage instead of the redirect_uri.

For example, building on the snippet in the Ruby doc:

client_secrets = Google::APIClient::ClientSecrets.load('client_secrets.json')
auth_client = client_secrets.to_authorization
auth_client.update!(
  :scope => 'profile https://www.googleapis.com/auth/drive.metadata.readonly',
  :redirect_uri => 'postmessage' # <---- HERE
)

# Inject user's auth_code here:
auth_client.code = "4/lRCuOXzLMIzqrG4XU9RmWw8k1n3jvUgsI790Hk1s3FI"
tokens = auth_client.fetch_access_token!
# { "access_token"=>..., "expires_in"=>3587, "id_token"=>..., "refresh_token"=>..., "token_type"=>"Bearer"}

The only Google documentation to even mention postmessage is this old Google+ sign-in doc. Here's a screenshot and archive link since G+ is closing and this link will likely go away:

https://i.stack.imgur.com/rFKLj.png

It is absolutely unforgivable that the doc page for Offline Access doesn't mention this. #FacePalm


@mariobgr Yeah, other answers here mention postmessage, but I wanted to give the specific circumstances (e.g. grantOfflineAccess) of when this crazy undocumented hack was necessary for me. :P I didn't want it to be true either. :) Cost me hours of headache.
Another postmessage thing that burned me for a few hours this morning: After parsing through Google's own Python client code, I finally came across this: "postmessage: string, this is generally set to 'postmessage' to match the redirect_uri that the client specified" Also, in their documentation: "The default redirect_uri is the current URL stripped of query parameters and hash fragment." Which means that if your redirect_uri is not the current url, then you'll need to explicitly specify it in gapi.auth2.init(), and on the server side, you'll use postmessage.
Jeff, you are awesome! I just spent hours trying to debug Google's Auth API and this was one of the issues. Insane "solution" that is not documented anywhere. In fact, their own docs give wrong answers here. Fantastic! (Also, What the actual %2F Google?)
G
Guven Sezgin Kurt

For my web application i corrected my mistake by writing

instead of : http://localhost:11472/authorize/
type :      http://localhost/authorize/

Thanks for sharing, it helps. I was stuck on this because the GitHub OAuth2 API does not require you to remove the port number.
That worked for me, too. I was following this course: asp.net/mvc/overview/security/… and getting 'redirect uri error'. After I've changed localhost:44334/signin-google to localhost/signin-google it worked. Thanks a lot for useful tip.
Thank you so much. I was testing with this github.com/google/google-api-dotnet-client-samples and "The redirect URI in the request" appeared to be from a different port every time that i ran it. This helped me so much. It would have taken hours to figure out what was happening!
Amazing, this worked perfectly for my case! I had to add 127.0.0.1/authorize , as it wasn't resolving to the localhost DNS
C
Chintan

Make sure to check the protocol "http://" or "https://" as google checks protocol as well. Better to add both URL in the list.


No, it's better to just make sure you're using https.
R
Rohan Devaki

1.you would see an error like this

https://i.stack.imgur.com/8YFfB.png

https://i.stack.imgur.com/PazSa.png

after this , you have to copy that url and add this on https://console.cloud.google.com/

go to https://console.cloud.google.com/

https://i.stack.imgur.com/gpDSI.png

click on Menu -> API & Services -> Credentials

https://i.stack.imgur.com/KsQOF.png

you would see a dashboard like this ,click on edit OAuth Client now in Authorized Javascript Origins and Authorized redirect URLS add the url that has shown error called redirect_uri_mismatch i.e here it is http://algorithammer.herokuapp.com , so i have added that in both the places in Authorized Javascript Origins and Authorized redirect URLS click on save and wait for 5 min and then try to login again


a
arshpreet

This seems quite strange and annoying that no "one" solution is there. for me http://localhost:8000 did not worked out but http://localhost:8000/ worked out.


this is because the redirect_uri must be an EXACT MATCH on the developers console and in your application.
I had no ending "/" neither in the developers console and the application. Both were exact matches, and it did not work. I had to add an ending "/" for the script to work.
This solved my issue, thanks. Don't know why this is needed though.
S
Shaung Cheng

This answer is same as this Mike's answer, and Jeff's answer, both sets redirect_uri to postmessage on client side. I want to add more about the server side, and also the special circumstance applying to this configuration.

Tech Stack

Backend

Python 3.6

Django 1.11

Django REST Framework 3.9: server as API, not rendering template, not doing much elsewhere.

Django REST Framework JWT 1.11

Django REST Social Auth < 2.1

Frontend

React: 16.8.3, create-react-app version 2.1.5

react-google-login: 5.0.2

The "Code" Flow (Specifically for Google OAuth2)

Summary: React --> request social auth "code" --> request jwt token to acquire "login" status in terms of your own backend server/database.

Frontend (React) uses a "Google sign in button" with responseType="code" to get an authorization code. (it's not token, not access token!) The google sign in button is from react-google-login mentioned above. Click on the button will bring up a popup window for user to select account. After user select one and the window closes, you'll get the code from the button's callback function. Frontend send this to backend server's JWT endpoint. POST request, with { "provider": "google-oauth2", "code": "your retrieved code here", "redirect_uri": "postmessage" } For my Django server I use Django REST Framework JWT + Django REST Social Auth. Django receives the code from frontend, verify it with Google's service (done for you). Once verified, it'll send the JWT (the token) back to frontend. Frontend can now harvest the token and store it somewhere. All of REST_SOCIAL_OAUTH_ABSOLUTE_REDIRECT_URI, REST_SOCIAL_DOMAIN_FROM_ORIGIN and REST_SOCIAL_OAUTH_REDIRECT_URI in Django's settings.py are unnecessary. (They are constants used by Django REST Social Auth) In short, you don't have to setup anything related to redirect url in Django. The "redirect_uri": "postmessage" in React frontend suffice. This makes sense because the social auth work you have to do on your side is all Ajax-style POST request in frontend, not submitting any form whatsoever, so actually no redirection occur by default. That's why the redirect url becomes useless if you're using the code + JWT flow, and the server-side redirect url setting is not taking any effect. The Django REST Social Auth handles account creation. This means it'll check the google account email/last first name, and see if it match any account in database. If not, it'll create one for you, using the exact email & first last name. But, the username will be something like youremailprefix717e248c5b924d60 if your email is youremailprefix@example.com. It appends some random string to make a unique username. This is the default behavior, I believe you can customize it and feel free to dig into their documentation. The frontend stores that token and when it has to perform CRUD to the backend server, especially create/delete/update, if you attach the token in your Authorization header and send request to backend, Django backend will now recognize that as a login, i.e. authenticated user. Of course, if your token expire, you have to refresh it by making another request.

Oh my goodness, I've spent more than 6 hours and finally got this right! I believe this is the 1st time I saw this postmessage thing. Anyone working on a Django + DRF + JWT + Social Auth + React combination will definitely crash into this. I can't believe none of the article out there mentions this except answers here. But I really hope this post can save you tons of time if you're using the Django + React stack.


c
codezjx

https://i.stack.imgur.com/K9Fz7.png

Open the json file, and you can find the parameter like this: "redirect_uris":["urn:ietf:wg:oauth:2.0:oob","http://localhost"]. I choose to use http://localhost and it works fine for me.


K
Kathir

When you register your app at https://code.google.com/apis/console and make a Client ID, you get a chance to specify one or more redirect URIs. The value of the redirect_uri parameter on your auth URI has to match one of them exactly.


And it is with very field that has problems for deep Angular based links as google doesn't agree [landed1.github.io/videos.html#/oauth2callback]is a valid URL
i
itsazzad

Checklist:

http or https?

& or &?

trailing slash(/) or open ?

(CMD/CTRL)+F, search for the exact match in the credential page. If not found then search for the missing one.

Wait until google refreshes it. May happen in each half an hour if you are changing frequently or it may stay in the pool. For my case it was almost half an hour to take effect.


J
Janek Olszak

If you use this tutorial: https://developers.google.com/identity/sign-in/web/server-side-flow then you should use "postmessage".

In GO this fixed the problem:

confg = &oauth2.Config{
        RedirectURL:  "postmessage",
        ClientID:   ...,
        ClientSecret: ...,
        Scopes:      ...,
        Endpoint:     google.Endpoint,
}

w
wolfgang

beware of the extra / at the end of the url http://localhost:8000 is different from http://localhost:8000/


J
Jacek Góraj

for me it was because in the 'Authorized redirect URIs' list I've incorrectly put https://developers.google.com/oauthplayground/ instead of https://developers.google.com/oauthplayground (without / at the end).


Thank you! I couldn't find what was wrong
l
luismzk

It has been answered thoroughly but recently (like, a month ago) Google stopped accepting my URI and it would not worked. I know for a fact it did before because there is a user registered with it.

Anyways, the problem was the regular 400: redirect_uri_mismatch but the only difference was that it was changing from https:// to http://, and Google will not allow you to register http:// redirect URI as they are production publishing status (as opposed to localhost).

The problem was in my callback (I use Passport for auth) and I only did

callbackURL: "/register/google/redirect"

Read docs and they used a full URL, so I changed it to

callbackURL: "https://" + process.env.MY_URL+ "/register/google/redirect"

Added https localhost to my accepted URI so I could test locally, and it started working again.

TL;DR use the full URL so you know where you're redirecting


Thank you man! That was the problem.
A
Andrii Abramov

2015 July 15 - the signin that was working last week with this script on login

<script src="https://apis.google.com/js/platform.js" async defer></script>

stopped working and started causing Error 400 with Error: redirect_uri_mismatch

and in the DETAILS section: redirect_uri=storagerelay://...

i solved it by changing to:

<script src="https://apis.google.com/js/client:platform.js?onload=startApp"></script>

Encountering the same Error 400, but changing the script did not work inside of my Cordova WebView.
@NickSpacek please check if the missing double quotes were responsible.
h
h3n

The redirect url is case sensitive.

In my case I added both: http://localhost:5023/AuthCallback/IndexAsync http://localhost:5023/authcallback/indexasync


And be careful with the character "/" at the end of the URL. Sometimes is needed, others times not.
so we can keep localhost as request_uri even for live websites?
b
brntsllvn

Rails users (from the omniauth-google-oauth2 docs):

Fixing Protocol Mismatch for redirect_uri in Rails Just set the full_host in OmniAuth based on the Rails.env. # config/initializers/omniauth.rb OmniAuth.config.full_host = Rails.env.production? ? 'https://domain.com' : 'http://localhost:3000'

REMEMBER: Do not include the trailing "/"


D
Dheeraj Palagiri

None of the above solutions worked for me. below did

change authorised Redirect urls to - https://localhost:44377/signin-google

Hope this helps someone.


if we use localhost it will work for published website too. I mean if in the API console I add the localhost request URI. How will it work when the web site gets live? Or for live sites we need to put another set of actual URI in API Console?
A
Aindriú

My problem was that I had http://localhost:3000/ in the address bar and had http://127.0.0.1:3000/ in the console.developers.google.com

https://i.stack.imgur.com/da1dy.png

https://i.stack.imgur.com/0z4ry.png


C
Code4Art

Just make sure that you are entering URL and not just a domain. So instead of: domain.com it should be domain.com/somePathWhereYouHadleYourRedirect


S
Steji

Anyone struggling to find where to set redirect urls in the new console: APIs & Auth -> Credentials -> OAuth 2.0 client IDs -> Click the link to find all your redirect urls


A
Alexandru Burca

My two cents: If using the Google_Client library do not forget to update the JSON file on your server after updating the redirect URI's.


how to update that?
@RohanDevaki download and replace the JSON file.
J
James T.

I needed to create a new client ID under APIs & Services -> Credentials -> Create credentials -> OAuth -> Other

Then I downloaded and used the client_secret.json with my command line program that is uploading to my youtube account. I was trying to use a Web App OAuth client ID which was giving me the redirect URI error in browser.


B
Blue

I have frontend app and backend api.

From my backend server I was testing by hitting google api and was facing this error. During my whole time I was wondering of why should I need to give redirect_uri as this is just the backend, for frontend it makes sense.

What I was doing was giving different redirect_uri (though valid) from server (assuming this is just placeholder, it just has only to be registered to google) but my frontend url that created token code was different. So when I was passing this code in my server side testing(for which redirect-uri was different), I was facing this error.

So don't do this mistake. Make sure your frontend redirect_uri is same as your server's as google use it to validate the authenticity.


I have a React front end and a Flask back end and this answer fixed my issue. thanks
S
Subrata Fouzdar

The main reason for this issue will only come from chrome and chrome handles WWW and non www differently depending on how you entered your URL in the browsers and it searches from google and directly shows the results, so the redirection URL sent is different in a different case

https://i.stack.imgur.com/btOP7.png

Add all the possible combinations you can find the exact url sent from fiddler , the 400 error pop up will not give you the exact http and www infromation


V
Vlad

Try to do these checks:

Bundle ID in console and in your application. I prefer set Bundle ID of application like this "org.peredovik.${PRODUCT_NAME:rfc1034identifier}" Check if you added URL types at tab Info just type your Bundle ID in Identifier and URL Schemes, role set to Editor In console at cloud.google.com "APIs & auth" -> "Consent screen" fill form about your application. "Product name" is required field.

Enjoy :)


D
David L

Let me complete @Bazyl's answer: in the message I received, they mentioned the URI "http://localhost:8080/" (which of course, seems an internal google configuration). I changed the authorized URI for that one, "http://localhost:8080/" , and the message didn't appear anymore... And the video got uploaded... The APIS documentation is VERY lame... Every time I have something working with google apis, I simply feel "lucky", but there's a lack of good documentation about it.... :( Yes, I got it working, but I don't yet understand neither why it failed, nor why it worked... There was only ONE place to confirm the URI in the web, and it got copied in the client_secrets.json... I don't get if there's a THIRD place where one should write the same URI... I find nor only the documentation but also the GUI design of Google's api quite lame...


Both URI's you posted look identical. What do you mean?
B
Bhuwan Gautam

In my case I had to check the Client ID type for web applications/installed applications.

installed applications: http://localhost [Redirect URIs] In this case localhost simply works

web applications: You need valid domain name [Redirect URIs:]


关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now