Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

redirect_uri_mismatch error occurs after upgrading to, or installing Agents (All versions)

Last updated Oct 5, 2021

The purpose of this article is to provide assistance if you encounter a "redirect_uri_mismatch The redirection URI provided does not match a pre-registered value" after upgrading to, or installing Agents. You may also encounter this issue after upgrading to AM 5.5, 5.5.1, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2 or 6.5.2.1.


1 reader recommends this article

Symptoms

The following error is shown in the browser when accessing the resource protected by the Agent:

redirect_uri_mismatch The redirection URI provided does not match a pre-registered value.

You are then redirected to the login URL, which is in a similar format to this example URL:

https://host1.example.com:8443/openam/oauth2/authorize?response_type=id_token&scope=openid&client_id=myWebAgent&redirect_uri=http%3A%2F%2Fhost2.example.net%3A80%2Fagent%2Fcdsso-oauth2&state=475c3531-e74d-ff40-9792-83ebc25d2c77&nonce=95B1765FC776BBEFF70EBCB73782A15E&response_mode=form_post&agent_provider=true&agent_realm=%2F

Recent Changes

Upgraded to, or installed Agents 5.x.

Upgraded to AM 5.5, 5.5.1, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2 or 6.5.2.1.

Causes

CDSSO improvements in Agents 5 mean CDSSO is the only SSO mode used by Agents; it is achieved using the OAuth 2.0 protocol and the oauth2/authorize endpoint. See Web Agents 5 Major Improvements or Java Agents 5 Major Improvements for further information.

Where there is a mismatch between the protocols used to access the resource and the one the agent is configured against (for example, you are accessing a resource with a URL that uses the HTTPS protocol but you configured your agent with a URL that uses the HTTP protocol), the hidden OAuth2 agent does not understand the redirection URL and prevents access as a security precaution.

Additionally, this issue can occur after upgrading to certain AM 6 versions, where an extra forward slash (/) is inadvertently included in the CDSSO Redirect URI, which prevents access. 

Solution

This issue can be resolved by ensuring both the Agent Root URL for CDSSO and CDSSO Redirect URI are set correctly. AM 5.5.2, and AM 6.5.2.2 and later correctly set the CDSSO Redirect URI without the extra forward slash.

Agent Root URL for CDSSO 

Ensure the root URL for CDSSO is set to the redirection URL in the following format: protocol://host:port/. For the example URL shown in the Symptoms section, you would specify the following root URL:

http://host2.example.net:80
Note

If the redirection URL points to IG, you must remove the port if it is a default one (:80 or :443) because AM includes the port in its URI but IG omits the default ports, which can contribute to this mismatch issue.

For example, the above URL would become: http://host2.example.net

You can set the root URL for CDSSO using either the console, Amster or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Applications > Agents > Web or Java > [Agent Name] > Global > Agent Root URL for CDSSO and specify the redirection URL.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: WebAgents or J2EEAgent
    • Property: cdssoRootUrl
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a sunIdentityServerDeviceKeyValue[0]=agentRootURL=[redirectionURL]replacing [realmname], [agentname], [adminID], [passwordfile] and [redirectionURL] with appropriate values.

CDSSO Redirect URI

The URI should not start with a forward slash, for example, the default value is:

agent/cdsso-oauth2

If it starts with a forward slash (for example, /agent/cdsso-oauth2), you will need to remove the forward slash using either the console, Amster or ssoadm: 

  • Console: navigate to: Realms > [Realm Name] > Applications > Agents > Web or Java > [Agent Name] > SSO > CDSSO Redirect URI and remove the / at the start of the URI.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: WebAgents or J2EEAgent
    • Property: cdssoRedirectUri
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.cdsso.redirect.uri=[redirectURI]replacing [realmname], [agentname], [adminID], [passwordfile] and [redirectURI] with appropriate values.

See Also

redirect_uri_mismatch error occurs when using AM (All versions) as an OAuth 2.0 / OpenID client or provider

Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)

Agents and policies in AM

Properties by Function (Web)

Properties by Function (Java)

Request Process Flow

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15363 (Redirect_uri_mismatch error occurs in Agent 5.x after upgrading from OpenAM 13.5.0 to AM 6.5.2)

OPENAM-12531 (Running webagent 5.0.0 against OpenAM 5.5.1 which is upgraded from previous version will result in segmentation fault or crash)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.