You get an invalid redirect_uri error

When you make an authorization request, you must include the redirect_uri parameter; this parameter specifies the URL of the page that you want users to be redirected to following a successful login. In theory, you can redirect users to pretty much any page accessible over the Internet (or at least any page that uses the HTTPS protocol). If that’s true (and it is), then why would you ever receive an error like this one:

imgimg

The answer to that question lies deep inside your OpenID Connect Login client. Yes, you can redirect users to pretty much any page accessible over the Internet, provided that the page is listed in the redirectURIs property in your login client. For example, this login client allows four different redirect URIs:

"redirectURIs": [
    "http://localhost",
    "http://localhost:3001/redirect_uri",
     "https://wacky-harmonious-bike.dev.or.janrain.com/redirect_uri",
     "https://openidconnect.net/callback"
   ],

But if your authorization request uses a different redirect URI (e.g., https://identitydocs.akamai.com), then that authorization request fails:

imgimg

To fix the problem, just add the “missing” URL to the redirectURIs property:

"redirectURIs": [
     "http://localhost",
     "http://localhost:3001/redirect_uri",
     "https://wacky-harmonious-bike.dev.or.janrain.com/redirect_uri",
     "https://openidconnect.net/callback",
     "https://identitydocs.akamai.com"
  ],

Now you can be redirected to https://identitydocs.akamai.com:

imgimg

By the way, in addition to the authorization request your token exchange request must also include this same redirect URI:

curl 'https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/login/token' \
    -d 'grant_type=authorization_code' \
    -d 'code=Eoxto6nMfR4IZxdD' \
    -d 'redirect_uri=https://wacky-harmonious-bike.dev.or.janrain.com/redirect_uri' \
    -d 'client_id=a123ef65-83dc-4094-a09a-76e1bec424e7' \
    -d 'code_verifier=YdmYa0i_LDeYJAL5HMbJUjd1kWAVmsk8MWHrlUzTw7k'

As noted, the redirect URI specified in the token exchange must match the redirect URI included in your authorization request. If it doesn’t, authorization will fail, and you won’t be issued an access token.


Did this page help you?