OAuth2-400 security config_error ai_generated true

OAuth2 redirect_uri mismatch: the provided redirect URI does not match any registered callback URL

ID: security/oauth2-redirect-uri-mismatch

Also available as: JSON · Markdown · 中文
92%Fix Rate
90%Confidence
1Evidence
2023-10-05First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
OAuth2 2.0 active
Google Identity Platform active
Okta 2023.08 active
Auth0 3.0 active

Root Cause

The redirect URI sent by the client during the OAuth2 authorization request does not match any of the URIs registered for the client in the authorization server, often due to trailing slash, protocol, or port differences.

generic

中文

客户端在OAuth2授权请求期间发送的重定向URI与授权服务器中为该客户端注册的任何URI不匹配,通常由于尾随斜杠、协议或端口差异。

Official Documentation

https://oauth.net/2/

Workarounds

  1. 95% success Register the exact redirect URI in the authorization server's client settings, including the full path (e.g., 'https://myapp.com/callback'). For Google: add to Authorized redirect URIs in the Cloud Console. 
    Register the exact redirect URI in the authorization server's client settings, including the full path (e.g., 'https://myapp.com/callback'). For Google: add to Authorized redirect URIs in the Cloud Console.
  2. 90% success If using multiple environments, register each redirect URI separately (e.g., 'http://localhost:3000/callback' for dev, 'https://myapp.com/callback' for production). 
    If using multiple environments, register each redirect URI separately (e.g., 'http://localhost:3000/callback' for dev, 'https://myapp.com/callback' for production).

中文步骤

  1. Register the exact redirect URI in the authorization server's client settings, including the full path (e.g., 'https://myapp.com/callback'). For Google: add to Authorized redirect URIs in the Cloud Console.
  2. If using multiple environments, register each redirect URI separately (e.g., 'http://localhost:3000/callback' for dev, 'https://myapp.com/callback' for production).

Dead Ends

Common approaches that don't work:

  1. 50% fail

    Adding the redirect URI with a trailing slash when the client sends without one (or vice versa) causes persistent mismatch because OAuth2 servers do exact string matching.

  2. 35% fail

    Changing the client's redirect URI to 'http://localhost' when the server expects 'https://localhost' fails because of protocol mismatch, and exposes the app to man-in-the-middle attacks.

  3. 15% fail

    Some try to use a wildcard in the redirect URI, but OAuth2 spec disallows wildcards for security reasons, causing the server to reject it outright.