Ошибка oauth как исправить

On the website https://code.google.com/apis/console I have registered my application, set up generated Client ID: and Client Secret to my app and tried to log in with Google.
Unfortunately, I got the error message:

Error: redirect_uri_mismatch
The redirect URI in the request: http://127.0.0.1:3000/auth/google_oauth2/callback did not match a registered redirect URI

scope=https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
response_type=code
redirect_uri=http://127.0.0.1:3000/auth/google_oauth2/callback
access_type=offline
approval_prompt=force
client_id=generated_id

What does mean this message, and how can I fix it?
I use the gem omniauth-google-oauth2.

If you’re using Google+ javascript button, then you have to use postmessage instead of the actual URI. It took me almost the whole day to figure this out since Google’s docs do not clearly state it for some reason.

Make sure to check the protocol «http://» or «https://» as google checks protocol as well.
Better to add both URL in the list.

This answer is same as this Mike’s answer, and Jeff’s answer, both sets redirect_uri to postmessage on client side. I want to add more about the server side, and also the special circumstance applying to this configuration.

Tech Stack

Backend

• Python 3.6
• Django 1.11
• Django REST Framework 3.9: server as API, not rendering template, not doing much elsewhere.
• Django REST Framework JWT 1.11
• Django REST Social Auth < 2.1

Frontend

• React: 16.8.3, create-react-app version 2.1.5
• react-google-login: 5.0.2

The «Code» Flow (Specifically for Google OAuth2)

Summary: React —> request social auth «code» —> request jwt token to acquire «login» status in terms of your own backend server/database.

1. Frontend (React) uses a «Google sign in button» with responseType="code" to get an authorization code. (it’s not token, not access token!)
   • The google sign in button is from react-google-login mentioned above.
   • Click on the button will bring up a popup window for user to select account. After user select one and the window closes, you’ll get the code from the button’s callback function.
2. Frontend send this to backend server’s JWT endpoint.
   • POST request, with { "provider": "google-oauth2", "code": "your retrieved code here", "redirect_uri": "postmessage" }
3. For my Django server I use Django REST Framework JWT + Django REST Social Auth. Django receives the code from frontend, verify it with Google’s service (done for you). Once verified, it’ll send the JWT (the token) back to frontend. Frontend can now harvest the token and store it somewhere.
   • All of REST_SOCIAL_OAUTH_ABSOLUTE_REDIRECT_URI, REST_SOCIAL_DOMAIN_FROM_ORIGIN and REST_SOCIAL_OAUTH_REDIRECT_URI in Django’s settings.py are unnecessary. (They are constants used by Django REST Social Auth) In short, you don’t have to setup anything related to redirect url in Django. The "redirect_uri": "postmessage" in React frontend suffice. This makes sense because the social auth work you have to do on your side is all Ajax-style POST request in frontend, not submitting any form whatsoever, so actually no redirection occur by default. That’s why the redirect url becomes useless if you’re using the code + JWT flow, and the server-side redirect url setting is not taking any effect.
4. The Django REST Social Auth handles account creation. This means it’ll check the google account email/last first name, and see if it match any account in database. If not, it’ll create one for you, using the exact email & first last name. But, the username will be something like youremailprefix717e248c5b924d60 if your email is youremailprefix@example.com. It appends some random string to make a unique username. This is the default behavior, I believe you can customize it and feel free to dig into their documentation.
5. The frontend stores that token and when it has to perform CRUD to the backend server, especially create/delete/update, if you attach the token in your Authorization header and send request to backend, Django backend will now recognize that as a login, i.e. authenticated user. Of course, if your token expire, you have to refresh it by making another request.

Oh my goodness, I’ve spent more than 6 hours and finally got this right! I believe this is the 1st time I saw this postmessage thing. Anyone working on a Django + DRF + JWT + Social Auth + React combination will definitely crash into this. I can’t believe none of the article out there mentions this except answers here. But I really hope this post can save you tons of time if you’re using the Django + React stack.

answered Mar 6, 2019 at 3:46

When you register your app at https://code.google.com/apis/console and
make a Client ID, you get a chance to specify one or more redirect
URIs. The value of the redirect_uri parameter on your auth URI has to
match one of them exactly.

answered Sep 28, 2016 at 9:42

beware of the extra / at the end of the url
http://localhost:8000 is different from http://localhost:8000/

for me it was because in the ‘Authorized redirect URIs’ list I’ve incorrectly put https://developers.google.com/oauthplayground/ instead of https://developers.google.com/oauthplayground (without / at the end).

Rails users (from the omniauth-google-oauth2 docs):

Fixing Protocol Mismatch for redirect_uri in Rails

Just set the full_host in OmniAuth based on the Rails.env.

# config/initializers/omniauth.rb

OmniAuth.config.full_host = Rails.env.production? ? ‘https://domain.com’ : ‘http://localhost:3000’

REMEMBER: Do not include the trailing «/»

answered Feb 23, 2016 at 3:48

My problem was that I had http://localhost:3000/ in the address bar and had http://127.0.0.1:3000/ in the console.developers.google.com

answered Jul 17, 2020 at 16:25

Just make sure that you are entering URL and not just a domain.
So instead of:
domain.com
it should be
domain.com/somePathWhereYouHadleYourRedirect

answered Oct 21, 2015 at 11:37

My two cents:
If using the Google_Client library do not forget to update the JSON file on your server after updating the redirect URI’s.

Let me complete @Bazyl’s answer: in the message I received, they mentioned the URI
"http://localhost:8080/"
(which of course, seems an internal google configuration). I changed the authorized URI for that one,
"http://localhost:8080/" , and the message didn’t appear anymore… And the video got uploaded… The APIS documentation is VERY lame… Every time I have something working with google apis, I simply feel «lucky», but there’s a lack of good documentation about it…. Yes, I got it working, but I don’t yet understand neither why it failed, nor why it worked… There was only ONE place to confirm the URI in the web, and it got copied in the client_secrets.json… I don’t get if there’s a THIRD place where one should write the same URI… I find nor only the documentation but also the GUI design of Google’s api quite lame…

I needed to create a new client ID under APIs & Services -> Credentials -> Create credentials -> OAuth -> Other

Then I downloaded and used the client_secret.json with my command line program that is uploading to my youtube account. I was trying to use a Web App OAuth client ID which was giving me the redirect URI error in browser.

answered Dec 29, 2017 at 0:41

The main reason for this issue will only come from chrome and chrome handles WWW and non www differently depending on how you entered your URL in the browsers and it searches from google and directly shows the results, so the redirection URL sent is different in a different case

Add all the possible combinations you can find the exact url sent from fiddler , the 400 error pop up will not give you the exact http and www infromation

answered Aug 31, 2019 at 11:06

I also get This error Error-400: redirect_uri_mismatch

This is not a server or Client side error but you have to only change by checking that you haven’t to added / (forward slash) at the end like this

redirecting URL list ❌:

https://developers.google.com/oauthplayground/

Do this only ✅:

https://developers.google.com/oauthplayground

answered Sep 29, 2022 at 6:39

Try to do these checks:

1. Bundle ID in console and in your application. I prefer set Bundle ID of application like this «org.peredovik.${PRODUCT_NAME:rfc1034identifier}»
2. Check if you added URL types at tab Info just type your Bundle ID in Identifier and URL Schemes, role set to Editor
3. In console at cloud.google.com «APIs & auth» -> «Consent screen» fill form about your application. «Product name» is required field.

Enjoy

answered Jan 2, 2014 at 16:49