On the website https://code.google.com/apis/console I have registered my application, set up generated Client ID: and Client Secret to my app and tried to log in with Google.
Unfortunately, I got the error message:
Error: redirect_uri_mismatch
The redirect URI in the request: http://127.0.0.1:3000/auth/google_oauth2/callback did not match a registered redirect URI
scope=https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
response_type=code
redirect_uri=http://127.0.0.1:3000/auth/google_oauth2/callback
access_type=offline
approval_prompt=force
client_id=generated_id
What does mean this message, and how can I fix it?
I use the gem omniauth-google-oauth2.
The redirect URI (where the response is returned to) has to be registered in the APIs console, and the error is indicating that you haven't done that, or haven't done it correctly.
Go to the console for your project and look under API Access. You should see your client ID & client secret there, along with a list of redirect URIs. If the URI you want isn't listed, click edit settings and add the URI to the list.
EDIT: (From a highly rated comment below) Note that updating the google api console and that change being present can take some time. Generally only a few minutes but sometimes it seems longer.
In my case it was www and non-www URL. Actual site had www URL and the Authorized Redirect URIs in Google Developer Console had non-www URL. Hence, there was mismatch in redirect URI. I solved it by updating Authorized Redirect URIs in Google Developer Console to www URL.
Other common URI mismatch are:
Using http:// in Authorized Redirect URIs and https:// as actual URL, or vice-versa
Using trailing slash (http://example.com/) in Authorized Redirect URIs and not using trailing slash (http://example.com) as actual URL, or vice-versa
Here are the step-by-step screenshots of Google Developer Console so that it would be helpful for those who are getting it difficult to locate the developer console page to update redirect URIs.
Go to https://console.developers.google.com
Select your Project
Click on the menu icon
Click on API Manager menu
Click on Credentials menu. And under OAuth 2.0 Client IDs, you will find your client name. In my case, it is Web Client 1. Click on it and a popup will appear where you can edit Authorized Javascript Origin and Authorized redirect URIs.
Note: The Authorized URI includes all localhost links by default, and any live version needs to include the full path, not just the domain, e.g. https://example.com/path/to/oauth/url
Here is a Google article on creating project and client ID.
If you're using Google+ javascript button, then you have to use postmessage instead of the actual URI. It took me almost the whole day to figure this out since Google's docs do not clearly state it for some reason.
In any flow where you retrieved an authorization code on the client side, such as the GoogleAuth.grantOfflineAccess() API, and now you want to pass the code to your server, redeem it, and store the access and refresh tokens, then you have to use the literal string postmessage instead of the redirect_uri.
For example, building on the snippet in the Ruby doc:
client_secrets = Google::APIClient::ClientSecrets.load('client_secrets.json')
auth_client = client_secrets.to_authorization
auth_client.update!(
:scope => 'profile https://www.googleapis.com/auth/drive.metadata.readonly',
:redirect_uri => 'postmessage' # <---- HERE
)
# Inject user's auth_code here:
auth_client.code = "4/lRCuOXzLMIzqrG4XU9RmWw8k1n3jvUgsI790Hk1s3FI"
tokens = auth_client.fetch_access_token!
# { "access_token"=>..., "expires_in"=>3587, "id_token"=>..., "refresh_token"=>..., "token_type"=>"Bearer"}
The only Google documentation to even mention postmessage is this old Google+ sign-in doc. Here's a screenshot and archive link since G+ is closing and this link will likely go away:
It is absolutely unforgivable that the doc page for Offline Access doesn't mention this. #FacePalm
For my web application i corrected my mistake by writing
instead of : http://localhost:11472/authorize/
type : http://localhost/authorize/
Make sure to check the protocol "http://" or "https://" as google checks protocol as well.
Better to add both URL in the list.
1.you would see an error like this
2.then you should click on request details
after this , you have to copy that url and add this on https://console.cloud.google.com/
go to https://console.cloud.google.com/
click on Menu -> API & Services -> Credentials
you would see a dashboard like this ,click on edit OAuth Client
now in Authorized Javascript Origins and Authorized redirect URLS
add the url that has shown error called redirect_uri_mismatch i.e here it is
http://algorithammer.herokuapp.com , so i have added that in both the places in
Authorized Javascript Origins and Authorized redirect URLS
click on save and wait for 5 min and then try to login again
This seems quite strange and annoying that no "one" solution is there.
for me http://localhost:8000 did not worked out but http://localhost:8000/ worked out.
This answer is same as this Mike's answer, and Jeff's answer, both sets redirect_uri to postmessage on client side. I want to add more about the server side, and also the special circumstance applying to this configuration.
Tech Stack
Backend
Python 3.6
Django 1.11
Django REST Framework 3.9: server as API, not rendering template, not doing much elsewhere.
Django REST Framework JWT 1.11
Django REST Social Auth < 2.1
Frontend
React: 16.8.3, create-react-app version 2.1.5
react-google-login: 5.0.2
The "Code" Flow (Specifically for Google OAuth2)
Summary: React --> request social auth "code" --> request jwt token to acquire "login" status in terms of your own backend server/database.
Frontend (React) uses a "Google sign in button" with responseType="code" to get an authorization code. (it's not token, not access token!)
The google sign in button is from react-google-login mentioned above.
Click on the button will bring up a popup window for user to select account. After user select one and the window closes, you'll get the code from the button's callback function.
Frontend send this to backend server's JWT endpoint.
POST request, with { "provider": "google-oauth2", "code": "your retrieved code here", "redirect_uri": "postmessage" }
For my Django server I use Django REST Framework JWT + Django REST Social Auth. Django receives the code from frontend, verify it with Google's service (done for you). Once verified, it'll send the JWT (the token) back to frontend. Frontend can now harvest the token and store it somewhere.
All of REST_SOCIAL_OAUTH_ABSOLUTE_REDIRECT_URI, REST_SOCIAL_DOMAIN_FROM_ORIGIN and REST_SOCIAL_OAUTH_REDIRECT_URI in Django's settings.py are unnecessary. (They are constants used by Django REST Social Auth) In short, you don't have to setup anything related to redirect url in Django. The "redirect_uri": "postmessage" in React frontend suffice. This makes sense because the social auth work you have to do on your side is all Ajax-style POST request in frontend, not submitting any form whatsoever, so actually no redirection occur by default. That's why the redirect url becomes useless if you're using the code + JWT flow, and the server-side redirect url setting is not taking any effect.
The Django REST Social Auth handles account creation. This means it'll check the google account email/last first name, and see if it match any account in database. If not, it'll create one for you, using the exact email & first last name. But, the username will be something like youremailprefix717e248c5b924d60 if your email is youremailprefix#example.com. It appends some random string to make a unique username. This is the default behavior, I believe you can customize it and feel free to dig into their documentation.
The frontend stores that token and when it has to perform CRUD to the backend server, especially create/delete/update, if you attach the token in your Authorization header and send request to backend, Django backend will now recognize that as a login, i.e. authenticated user. Of course, if your token expire, you have to refresh it by making another request.
Oh my goodness, I've spent more than 6 hours and finally got this right! I believe this is the 1st time I saw this postmessage thing. Anyone working on a Django + DRF + JWT + Social Auth + React combination will definitely crash into this. I can't believe none of the article out there mentions this except answers here. But I really hope this post can save you tons of time if you're using the Django + React stack.
In my case, my credential Application type is "Other". So I can't find Authorized redirect URIs in the credentials page. It seems appears in Application type:"Web application". But you can click the Download JSON button to get the client_secret.json file.
Open the json file, and you can find the parameter like this: "redirect_uris":["urn:ietf:wg:oauth:2.0:oob","http://localhost"]. I choose to use http://localhost and it works fine for me.
When you register your app at https://code.google.com/apis/console and
make a Client ID, you get a chance to specify one or more redirect
URIs. The value of the redirect_uri parameter on your auth URI has to
match one of them exactly.
Checklist:
http or https?
& or &?
trailing slash(/) or open ?
(CMD/CTRL)+F, search for the exact match in the credential page. If
not found then search for the missing one.
Wait until google refreshes it. May happen in each half an hour if you
are changing frequently or it may stay in the pool. For my case it was almost half an hour to take effect.
for me it was because in the 'Authorized redirect URIs' list I've incorrectly put https://developers.google.com/oauthplayground/ instead of https://developers.google.com/oauthplayground (without / at the end).
The redirect url is case sensitive.
In my case I added both:
http://localhost:5023/AuthCallback/IndexAsync
http://localhost:5023/authcallback/indexasync
If you use this tutorial: https://developers.google.com/identity/sign-in/web/server-side-flow then you should use "postmessage".
In GO this fixed the problem:
confg = &oauth2.Config{
RedirectURL: "postmessage",
ClientID: ...,
ClientSecret: ...,
Scopes: ...,
Endpoint: google.Endpoint,
}
beware of the extra / at the end of the url
http://localhost:8000 is different from http://localhost:8000/
It has been answered thoroughly but recently (like, a month ago) Google stopped accepting my URI and it would not worked. I know for a fact it did before because there is a user registered with it.
Anyways, the problem was the regular 400: redirect_uri_mismatch but the only difference was that it was changing from https:// to http://, and Google will not allow you to register http:// redirect URI as they are production publishing status (as opposed to localhost).
The problem was in my callback (I use Passport for auth) and I only did
callbackURL: "/register/google/redirect"
Read docs and they used a full URL, so I changed it to
callbackURL: "https://" + process.env.MY_URL+ "/register/google/redirect"
Added https localhost to my accepted URI so I could test locally, and it started working again.
TL;DR use the full URL so you know where you're redirecting
2015 July 15 - the signin that was working last week with this script on login
<script src="https://apis.google.com/js/platform.js" async defer></script>
stopped working and started causing Error 400 with Error: redirect_uri_mismatch
and in the DETAILS section: redirect_uri=storagerelay://...
i solved it by changing to:
<script src="https://apis.google.com/js/client:platform.js?onload=startApp"></script>
Rails users (from the omniauth-google-oauth2 docs):
Fixing Protocol Mismatch for redirect_uri in Rails
Just set the full_host in OmniAuth based on the Rails.env.
# config/initializers/omniauth.rb
OmniAuth.config.full_host = Rails.env.production? ? 'https://domain.com' : 'http://localhost:3000'
REMEMBER: Do not include the trailing "/"
None of the above solutions worked for me. below did
change authorised Redirect urls to - https://localhost:44377/signin-google
Hope this helps someone.
My problem was that I had http://localhost:3000/ in the address bar and had http://127.0.0.1:3000/ in the console.developers.google.com
Just make sure that you are entering URL and not just a domain.
So instead of:
domain.com
it should be
domain.com/somePathWhereYouHadleYourRedirect
Anyone struggling to find where to set redirect urls in the new console: APIs & Auth -> Credentials -> OAuth 2.0 client IDs -> Click the link to find all your redirect urls
My two cents:
If using the Google_Client library do not forget to update the JSON file on your server after updating the redirect URI's.
I also get This error Error-400: redirect_uri_mismatch
This is not a server or Client side error but you have to only change by checking that you haven't to added / (forward slash) at the end like this
redirecting URL list ❌:
https://developers.google.com/oauthplayground/
Do this only ✅:
https://developers.google.com/oauthplayground
Let me complete #Bazyl's answer: in the message I received, they mentioned the URI
"http://localhost:8080/"
(which of course, seems an internal google configuration). I changed the authorized URI for that one,
"http://localhost:8080/" , and the message didn't appear anymore... And the video got uploaded... The APIS documentation is VERY lame... Every time I have something working with google apis, I simply feel "lucky", but there's a lack of good documentation about it.... :( Yes, I got it working, but I don't yet understand neither why it failed, nor why it worked... There was only ONE place to confirm the URI in the web, and it got copied in the client_secrets.json... I don't get if there's a THIRD place where one should write the same URI... I find nor only the documentation but also the GUI design of Google's api quite lame...
I needed to create a new client ID under APIs & Services -> Credentials -> Create credentials -> OAuth -> Other
Then I downloaded and used the client_secret.json with my command line program that is uploading to my youtube account. I was trying to use a Web App OAuth client ID which was giving me the redirect URI error in browser.
I have frontend app and backend api.
From my backend server I was testing by hitting google api and was facing this error. During my whole time I was wondering of why should I need to give redirect_uri as this is just the backend, for frontend it makes sense.
What I was doing was giving different redirect_uri (though valid) from server (assuming this is just placeholder, it just has only to be registered to google) but my frontend url that created token code was different. So when I was passing this code in my server side testing(for which redirect-uri was different), I was facing this error.
So don't do this mistake. Make sure your frontend redirect_uri is same as your server's as google use it to validate the authenticity.
The main reason for this issue will only come from chrome and chrome handles WWW and non www differently depending on how you entered your URL in the browsers and it searches from google and directly shows the results, so the redirection URL sent is different in a different case
Add all the possible combinations you can find the exact url sent from fiddler , the 400 error pop up will not give you the exact http and www infromation
Try to do these checks:
Bundle ID in console and in your application. I prefer set Bundle ID of application like this "org.peredovik.${PRODUCT_NAME:rfc1034identifier}"
Check if you added URL types at tab Info just type your Bundle ID in Identifier and URL Schemes, role set to Editor
In console at cloud.google.com "APIs & auth" -> "Consent screen" fill form about your application. "Product name" is required field.
Enjoy :)
I need help. I don't found an answer to my question. I tried googling and I tried asking on other sides but I never found an answer.
I'm working with the google API (Youtube data API) and I use the example code from the google side the code it works I'm pretty sure about that. I got an error when i try to start the Script:
details: "Not a valid origin for the client: "MyURL" has not been whitelisted for client ID "MyID". Please go to https://console.developers.google.com/ and whitelist this origin for your project's client ID."
error: "idpiframe_initialization_failed"
The problem i whitelisted my Website and it's accepted. i don't know what is wrong. What should i do to "whitelist" my Domain (It's whitelisted)
And another question. I did not search for an answer on this question before.
I think it's possible that I can use the code on Localhost, I think I must whitelist my localhost address or something like this. But whitelisting does not work.
DreamGamer
I cleared cache. Started working then.
In Chrome: Settings --> Advanced --> Clear browsing data --> Cached images and files
Had the same problem and here's how I solved it:
Activate both Analytics and Google Plus APIs on your project
Create new OAUTH 2.0 client credentials
Add the Authorized Javascript Origins under Restrictions section
Use the new client id.
Enjoy.
For me, it worked without adding any of the additional APIs like google analytics. Just make sure to add the complete clientid and open the app in incognito window to avoid saving the cache. If already have opened the app in regular window,
1- Close all tabs that app is open at.
2- Clear the cache and cookies. In chrome, its in Settings --> Passwords and forms -> Clear Browsing data -> Advanced (tab) -> select a) Cookies and other site data and b) Cached images and files
3- Open a fresh incognito window and test your app.
The documentation says not to overlook two critical steps ("As you go through the instructions, it's important that you not overlook these two critical steps: Enable the Analytics API
Here's what worked for me:
Enable the Analytics API
back to you credentials , delete previous OAuth 2.0
now create new OAuth with correct origins
I also followed the instructions in the quickstart example, Had the same problem, tried all the solutions suggested here to no avail, tried everything I could imagine but it didn't help.
Finally saw that I copied the CLIENT_ID with a space at the end.
var CLIENT_ID = '44********-*****************.apps.googleusercontent.com ';
Once I fixed this (removed the extra space) it worked.
I guess the error message is not very precise in this case.
Hope this helps.
I was having a similar issue trying to get a login for my web app. What I did was just recreate the OAuth Client ID credentials from Cloud Platform. When I did this and used the new Client ID, everything worked fine. Not sure what the issue was before, but it goes through perfectly fine now.
If anyone finds this from Google or whatnot, try that. It might just work. It would explain Ezra Obiwale's answer because that is essentially creating a new Client ID just after adding a couple API's.
If anyone knows an explanation as to why this happens that would be appreciated.
I just made the same mistake: Tried the official quickstart example and received the same error message as you.
It is rather confusing, because that example is a lot more complex than what I personally needed: It uses OAuth for user login, and NOT just the API key. If you are like me, and you don't want to use OAuth, and you only want to retrieve some Youtube data, without any privileged actions (e.g. if you only want to search or list videos, channels or playlists), this example is for you.
The solution is simple, just provide apiKey instead of clientId to gapi.client.init (link: API docs), like so:
const apiKey = '<my API key>';
function gooApiInitClient() {
// Array of API discovery doc URLs for APIs used by the quickstart
const discoveryDocs = [
"https://www.googleapis.com/discovery/v1/apis/youtube/v3/rest"
];
return gapi.client.init({
apiKey,
discoveryDocs
});
}
// see: https://developers.google.com/api-client-library/javascript/reference/referencedocs
gapi.load('client', {
callback: function() {
// we now have gapi.client! initialize it.
gooApiInitClient().
then(() => {
// we can start using the API here!
// e.g. gapi.client.youtube.videos.list(...);
}).then(results => {
// use results here....
});
}
});
I was also attempting to get the sample working (from ) https://developers.google.com/drive/api/v3/quickstart/js
It continually failed even though the ip address was added to the WebAPI.
But you have to add localhost:8000 (not just 127.0.0.1:8000) to your OAUTH as shown here:
Float over the OAUTH client text and it will become a link. Click that link and you can add a URI including the port. Mine already had 127.0.0.1:8000 but not the locahost:8000.
Here's the interesting / odd thing. When I ping localhost I see:
I think that is IPV6 thing.
Anyways, if I ping 127.0.0.1 I see the expected response (via IPV4)
Maybe that is a red herring but I wasn't sure if the value entered in the OAUTH was affected by it or not.
The reason I even noticed that is because when I started the Python web server as directed in the tutorial I saw the following and thought it was odd:
Only after adding the localhost:8000 URI in the OAUTH did it work, but after adding it did work fine.
As many have indicated here, this is just a browser caching issue. No need to create a new key, or even clear the cache. Just try again on a new browser incognito (anonymous) window and it should work fine.
Use the below latest way to update the valid origin for the client:
Go to https://console.developers.google.com/
Click the ENABLE APIS and SERVICES link
Add the Google Analytics API and return the homepage.
You can able to see the list of API's added in the homepage like below screenshot
Click the credential link from the left side menu
Click the OAuth client, if it not available create using CREATE CREDENTIAL button
Add the authorized javascript origins link like below.
Finally click the SAVE button
Then, In Chrome: Settings --> Advanced --> Clear browsing data --> Cached images and files (To avoid old cache make cross origin issue).
Hopefully, this will help everyone
Create authorization credentials
Any application that uses OAuth 2.0 to access Google APIs must have authorization credentials that identify the application to Google's OAuth 2.0 server. The following steps explain how to create credentials for your project. Your applications can then use the credentials to access APIs that you have enabled for that project.
Go to the Credentials page.
Click Create credentials > OAuth client
ID.
Select the Web application application type.
Complete the form. Applications that use JavaScript to make authorized Google API requests must specify authorized JavaScript origins. The origins identify the domains from which your application can send requests to the OAuth 2.0 server.
the one Tap Google chrome auth doesn't show to all my domains so
I follow this book:
https://developers.google.com/identity/one-tap/web/guides/features
summary for this question it says:
add all your domains and sub domains in:
https://console.developers.google.com/apis/credentials
Edit or create a:
OAuth 2.0 Client IDs ->
Web client (auto created by Google Service) (Edit this line)
add the domains and subs here:
Authorized JavaScript origins
URIs
after this the one tap login started to be shown with the accounts registered on the chrome browser of the logged user.
<script src="https://apis.google.com/js/platform.js" async defer></script>
Script must in tag <head></head>
In my case, I put after tag </main>, so It's fail. Then I try write in tag <head>, It work!
===
Correct is
<!DOCTYPE html>
<html lang="vi">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title></title>
<meta name="google-signin-client_id" content="APP_CODE.apps.googleusercontent.com">
<script src="https://apis.google.com/js/platform.js" async defer></script>
</head>
<body>
<main>
<div class="g-signin2" data-onsuccess="onSignIn"></div>
</main>
<script>
function onSignIn(googleUser) {...}
...
I was having this exact same issue - the solution for me was to go into the API Manager and enable the Analytics API. Not sure what the issue was, but this seems to have fixed it!
I believe this has to do with caching, try to Go to your browser and clear the cache, try: in chrome, > setting > advanced > clear browsing data :>: cached images and files.
One of the reasons why it could not work is exceeded number (100) of logins on certain client ID.
You can visit google API console page and create new Oauth2 client credentials (remember to add your applications URL under Authorized Javascript Origins) and then use it.
I was having the same issues as well until I realized when I copied the client_ID, there was white space in my file, so I removed the white space from the string and everything is working great now.
I faced the same issue while working with google sign-in using react-social-login on my localhost. In the whitelist origin we will have to provide http://localhost:3000 to make it work.
The following worked for me
Add your origin to your OAuth 2.0 Client ID
Copy and navigate to the failed HTTP request that you see in devtools, e.g. https://accounts.google.com/o/oauth2/iframerpc?action=checkOrigin...
Clear cookies and localstorage for that domain (EditThisCookie & localStorage.clear())
Wait around 30 minutes
That URL should return { "valid": true }
My case : disabled ad blocker AdGuard
How do you customise the okta application loading screen?
This is the screen after you've signed into Okta, which is displayed when accessing an application.
It looks like a bar of grey, with a group of circles that spin.
Technically this is possible using the interstitialUrl. The interstitialUrl points to a custom page embedded inside an iframe. Modifying it allows you to use any page/style of your choosing.
Here are the requirements to creating the custom page:
Page must be HTTPS
Page is rendered inside an iframe
Host the interstitialUrl and the URL inside the iframe
However, use CAUTION when updating the contents of your organization.
Step 1: (Requires API Token)
GET https://{{subdomain}}.okta.com/api/v1/orgs/{{subdomain}}
Edit the JSON from the response, changing only the interstitialUrl:
"settings": {
"app": {
"interstitialUrl": "https://example.com/interstitial.html",
...
},
...
}
Step 2: Submit a PUT request (Requires API Token)
PUT https://{{subdomain}}.okta.com/api/v1/orgs/{{subdomain}}
Use the updated JSON from Step 1 as the request body.
Edit (1/30/2019)
This isn't a feature that is supported and can be removed at Okta's discretion. Please use at your own risk and do not expect this functionality to exist in the near future.
I raise a suppose case with Okta, and the feedback I received was this is not currently possible.
"We do at this time provide customisations for the sign in page in Okta and greater customisation capabilities if using the Okta sign in Widget however none of these extend to the loading page for the applications. "
To customize Okta application loading screen, please follow below steps:
Login to your Okta organization
Go to Admin tab
Click on Setting
From Setting drop down menu select Appearance, here you can configure Application Theme, Sign-in configuration, organization logo.
You won't be able to update interstitialUrl using the Okta REST API.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: updateOrg",
"errorLink": "E0000001",
"errorId": "oae2uOlYhZyQwy2smOyFQecLA",
"errorCauses": [
{
"errorSummary": "Interstitial page URL cannot be modified."
}
]
}
I'm trying to add Google Checkout to my magento 1.7.0.0 shop. I've traced the issue and it seems to fail during posting to google's server because when I try to read the response it's false.
The error I get is: Google Checkout: Invalid response from Google Checkout server
I'm using magento 1.7, google sandbox with sandbox credentials, verified bank account, unchecked digitally signed carts, but am using a self-signed certificate on my development machine, and API version 2.2.
The issue is happening in app/code/core/Mage/GoogleCheckout/Model/Api/Xml/Abstract.php on lines 174, 175
$http = new Varien_Http_Adapter_Curl();
$http->write('POST', $url, '1.1', $headers, $xml);
$response = $http->read();
Not a PHP dev ~
Is this a sandbox server to server (Shopping Cart) POST? Check:
that you are using sandbox credentials in your headers;
that you are posting to a sandbox url for the xml you are sending
Note - unchecking "digital cart" only means your account will also accept HTML API cart POSTs, but it doesn't mean you can send XML without a digital signature if doing direct FORM post to Google - re: in XML API, you have 2 options to send XML data:
Direct HTML FORM POST to Google (must include signature), or;
Server to Server POST to Google (must use Basic Auth credentials)
You can also check your sandbox Integration Console for detailed error messages:
Tools -> Integration Console
Hth...
There was a problem with it being a local environment. The issue was either with Google not being able to communicate or with my tld ending in .dev. Possibly Google rejected the request for that reason.