# OAuth2 redirect_uri mismatch: the provided redirect URI does not match any registered callback URL - **ID:** `security/oauth2-redirect-uri-mismatch` - **Domain:** security - **Category:** config_error - **Error Code:** `OAuth2-400` - **Verification:** ai_generated - **Fix Rate:** 92% ## Root Cause The redirect URI sent by the client during the OAuth2 authorization request does not match any of the URIs registered for the client in the authorization server, often due to trailing slash, protocol, or port differences. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | OAuth2 2.0 | active | — | — | | Google Identity Platform | active | — | — | | Okta 2023.08 | active | — | — | | Auth0 3.0 | active | — | — | ## Workarounds 1. **Register the exact redirect URI in the authorization server's client settings, including the full path (e.g., 'https://myapp.com/callback'). For Google: add to Authorized redirect URIs in the Cloud Console.** (95% success) ``` Register the exact redirect URI in the authorization server's client settings, including the full path (e.g., 'https://myapp.com/callback'). For Google: add to Authorized redirect URIs in the Cloud Console. ``` 2. **If using multiple environments, register each redirect URI separately (e.g., 'http://localhost:3000/callback' for dev, 'https://myapp.com/callback' for production).** (90% success) ``` If using multiple environments, register each redirect URI separately (e.g., 'http://localhost:3000/callback' for dev, 'https://myapp.com/callback' for production). ``` ## Dead Ends - **** — Adding the redirect URI with a trailing slash when the client sends without one (or vice versa) causes persistent mismatch because OAuth2 servers do exact string matching. (50% fail) - **** — Changing the client's redirect URI to 'http://localhost' when the server expects 'https://localhost' fails because of protocol mismatch, and exposes the app to man-in-the-middle attacks. (35% fail) - **** — Some try to use a wildcard in the redirect URI, but OAuth2 spec disallows wildcards for security reasons, causing the server to reject it outright. (15% fail)