redirect_uri_mismatch error occurs after upgrading to, or installing Web Agents 5.x

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if you encounter a "redirect_uri_mismatch The redirection URI provided does not match a pre-registered value" after upgrading to, or installing Web Agents 5.x.


The following error is shown in the browser when accessing the resource protected by the agent:

redirect_uri_mismatch The redirection URI provided does not match a pre-registered value.

You are then redirected to the login URL, which is in a similar format to this example URL:

Recent Changes

Upgraded to, or installed Web Agents 5.x.


CDSSO improvements in Agents 5 means CDSSO is the only SSO mode used by agents; it is achieved using the OAuth 2.0 protocol and the oauth2/authorize endpoint. See Release Notes › Major Improvements for further information.

Where there is a mismatch between the protocols used to access the resource and the one the agent is configured against (for example, you are accessing a resource with a URL that uses the https protocol but you configured your agent with a URL that uses the http protocol), the hidden OAuth2 agent does not understand the redirection URL and prevents access as a security precaution.


This issue can be resolved by setting the root URL for CDSSO to the redirection URL in the following format: protocol://host:port/. For the example URL shown in the Symptoms section, you would specify the following root URL:

You can set the root URL for CDSSO using either the console, Amster or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > Global > Agent Root URL for CDSSO and specify the redirection URL.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster?with these values:
    • Entity: WebAgents
    • Property: cdssoRootUrl
  • ssoadm: enter the following command:
    $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a sunIdentityServerDeviceKeyValue[0]=agentRootURL=[redirectionURL]
    replacing [realmname], [agentname], [adminID], [passwordfile] and [redirectionURL] with appropriate values.

See Also

redirect_uri_mismatch error occurs when using AM/OpenAM (All versions) as an OAuth 2.0 / OpenID client or provider

Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)

Agents and policies in AM/OpenAM

User Guide › Configuring Global Properties

User Guide › Request Process Flow

Related Training


Related Issue Tracker IDs

AMAGENTS-1538 (document redirect_uri_mismatch )

Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.