Receiving a "redirect_uri_mismatch" error when authorizing with OAUTH 2.0

SOLVED
Go to solution
Occasional Participant

Receiving a "redirect_uri_mismatch" error when authorizing with OAUTH 2.0

I'm trying to use OAUTH 2.0 to authenticate/authorize. I'm testing on my local machine, where my application is running and accessible over HTTPS. I'm taken through the authization step, but get an error on the redirect back to my application.

 

To start the process, I'm redirecting the browser to:

 

https://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?response_type=code&client_id=MY_...

 

Where MY_API_KEY is my api key.

 

I'm taken to a Constant Contact login page, then to an authorization page, where I can grant access to my application. After clicking the Grant button, I'm taken to:

 

https://localhost/somepath?error=redirect_uri_mismatch&error_description=Invalid%20redirect.

 

Can you tell me what is wrong with the redirect_uri value I'm using?

 

Thanks,

 

Andy

1 ACCEPTED SOLUTION

Hey Andy,

 

I think the issue may be that when you have created your API key you set the URL redirect to a certain point and you are using a different one in your code.  Thus you are receiving an error.  Please check that and let me know as I was able to get my code after matching the two of them.

Ryan Davis
Quality Engineer

View solution in original post

12 REPLIES 12
Employee

Hey Andy,

 

Can you provide us with the rest of your code.  If you do not wish to post it you can send it to webservices@constantcontact.com and I can get it from there.  

Ryan Davis
Quality Engineer
Occasional Participant

Ryan,

Looks like my URL got cut off, here it is with line breaks.

 

https://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?

response_type=code&

client_id=API_KEY&

redirect_uri=https%3A%2F%2Flocalhost%2FPATH_TO_APPLICATION

 

As for other code, there is no other code that really matters. If you replace API_KEY in the URL above with my real API key, you can paste this into a browser and see that:

  1. You correctly get taken to an OAUTH authorization page
  2. After granting access, you are redirected to the following URL:

https://localhost/PATH_TO_APPLICATION?error=redirect_uri_mismatch&

error_description=Invalid%20redirect.

 

If things were working, I'd get redirected to:

 

https://localhost/PATH_TO_APPLICATION?code=AUTH_CODE

 

Note that I can change PATH_TO_APPLICATION to a real app location, same result. I can also use a server with a public hostname and not use localhost, same result.

 

Does that help?

 

Andy

Hey Andy,

 

I think the issue may be that when you have created your API key you set the URL redirect to a certain point and you are using a different one in your code.  Thus you are receiving an error.  Please check that and let me know as I was able to get my code after matching the two of them.

Ryan Davis
Quality Engineer

View solution in original post

Occasional Participant

This is working now. I hadn't realized I needed to attach the redirect URI value to my API key. It would be great to note this in your API docs.

 

Thanks,

 

Andy

Hey Andy,

 

I will be passing that information on to see if we can get that documentation updated.

Ryan Davis
Quality Engineer

I'm developing a web app that is using oauth 2 and it works fine when the URIs match as you say.  My problem is that I'll need this web app to run when installed at multiple client sites.  So the URI will always be different.  Is there anyway to not use the URI redirect in the key or any other work around to this.  I'd rather not create an api key for every client that runs this application.

 

-Paul

The normal way of handling this is to have a central server endpoint (or agent) that handles all requests and then sends it back to the correct client.  Since you can pass optional parameters to the server and the server will pass them back to you, you can tell which endpoint to redirect the information to.  Then your client will receive the update from your server agent and this flow will correctly work.

Dave Berard
Senior Product Manager, Constant Contact

Thanks Dave. An agent sounds like it will work. I'll give that a try.

Hey Paul,

 

There are no work around as this is how the specification of oAuth2 was written.  At this time we don't have a way to verify more than one redirect URI to an API key.  The only work around that comes to mind is to use oAuth1 which you can find information for here

 

Please let me know if this helps.

Ryan Davis
Quality Engineer
Occasional Participant

I'm in the same boat here.  Trying to develop a module for the WHMCS billing system.  I'd like to provide this addon module to others who use WHMCS, but it seems that I can't use the key to redirect other users of this addon module to their own website.

 

This is pretty much a show stopper for enabling me to share this module with others, unless I make then generate their own key.  To say I'm disappointed is an understatement.  I am frustrated by this.  What a horrible limitation in this API.  Even more frustrating is that this looks like it's been the case for several years.

 

It seems there is no workaround to this, so I'm not asking for the answer.  Just expressing my deep disappointment and hoping that perhaps the API can be tweaked to allow this type of developing and sharing of code.

 

Richard

Hi Richard,

 

Thank you for your feedback on this and for sharing your experience with us. In this case, it is not likely that this will change, as the limitation that a redirect URI must always match is part of the OAuth 2.0 specification that we are implementing for authentication. Because this is a core part of the OAuth implementation, it is not likely that it will be changed. One aspect of that limitation is that this leaves using a central agent that can pass that redirect on to the correct user as the only option to implement this properly.

 

Best Regards,

Elijah G.
API Support Engineer

   Hi.   With your sample files, I have configured the apikey with the Redirect URI, run the sample, click the "Get Access Token" button, a login appears, grant access to the application name defined in the apikey, click in "Grant Access".

   Tracking the HTML source code for this 'grant access' page, this contains data that seems to be ok, for example:

          <input name="preregistered_redirect_uri" value="http://www.myserver.com/socialn2/test/ccontact_sdk/examples/getAccessToken.php" type="hidden"/>

 

  This is the same link for the published page where the process started.    Is the same Redirect URI configured in the apikey.

 

  The process navigates to http://www.myserver.com/socialn2/test/ccontact_sdk/examples/getAccessToken.php?code=nIRSObZgeQcGjT0S...

 

   So it seems to be ok, but this page displays an error   "Error: redirect_uri_mismatch: Redirect URI mismatch"  when the next code is reached:

             $accessToken = $oauth->getAccessToken($_GET['code']);

 

   The link already contains a code, so it should work.

 

   Could you explain me what's going on?

 

 

 

Developer Portal

View API documentation, code samples, get your API key.

Visit Page