# OAuth2 redirect_uri不匹配：提供的重定向URI与任何已注册的回调URL不匹配

- **ID:** `security/oauth2-redirect-uri-mismatch`
- **领域:** security
- **类别:** config_error
- **错误码:** `OAuth2-400`
- **验证级别:** ai_generated
- **修复率:** 92%

## 根因

客户端在OAuth2授权请求期间发送的重定向URI与授权服务器中为该客户端注册的任何URI不匹配，通常由于尾随斜杠、协议或端口差异。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| OAuth2 2.0 | active | — | — |
| Google Identity Platform | active | — | — |
| Okta 2023.08 | active | — | — |
| Auth0 3.0 | active | — | — |

## 解决方案

1. ```
   Register the exact redirect URI in the authorization server's client settings, including the full path (e.g., 'https://myapp.com/callback'). For Google: add to Authorized redirect URIs in the Cloud Console.
   ```
2. ```
   If using multiple environments, register each redirect URI separately (e.g., 'http://localhost:3000/callback' for dev, 'https://myapp.com/callback' for production).
   ```

## 无效尝试

- **** — Adding the redirect URI with a trailing slash when the client sends without one (or vice versa) causes persistent mismatch because OAuth2 servers do exact string matching. (50% 失败率)
- **** — Changing the client's redirect URI to 'http://localhost' when the server expects 'https://localhost' fails because of protocol mismatch, and exposes the app to man-in-the-middle attacks. (35% 失败率)
- **** — Some try to use a wildcard in the redirect URI, but OAuth2 spec disallows wildcards for security reasons, causing the server to reject it outright. (15% 失败率)