Solutions

redirect_uri_mismatch error occurs after upgrading to, or installing Web Agents 5.x

Last updated Oct 31, 2019

The purpose of this article is to provide assistance if you encounter a "redirect_uri_mismatch The redirection URI provided does not match a pre-registered value" after upgrading to, or installing Web Agents 5.x. You may also encounter this issue after upgrading to AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2 or 6.5.2.1.


Symptoms

The following error is shown in the browser when accessing the resource protected by the agent:

redirect_uri_mismatch The redirection URI provided does not match a pre-registered value.

You are then redirected to the login URL, which is in a similar format to this example URL:

https://host1.example.com:8443/openam/oauth2/authorize?response_type=id_token&scope=openid&client_id=myWebAgent&redirect_uri=http%3A%2F%2Fhost2.example.net%3A80%2Fagent%2Fcdsso-oauth2&state=475c3531-e74d-ff40-9792-83ebc25d2c77&nonce=95B1765FC776BBEFF70EBCB73782A15E&response_mode=form_post&agent_provider=true&agent_realm=%2F

Recent Changes

Upgraded to, or installed Web Agents 5.x.

Upgraded to AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2 or 6.5.2.1.

Causes

CDSSO improvements in Agents 5 means CDSSO is the only SSO mode used by agents; it is achieved using the OAuth 2.0 protocol and the oauth2/authorize endpoint. See Release Notes › Major Improvements for further information.

Where there is a mismatch between the protocols used to access the resource and the one the agent is configured against (for example, you are accessing a resource with a URL that uses the https protocol but you configured your agent with a URL that uses the http protocol), the hidden OAuth2 agent does not understand the redirection URL and prevents access as a security precaution.

Additionally, this issue can occur after upgrading to certain AM 6 versions, where an extra forward slash (/) is inadvertently included in the CDSSO Redirect URI, which prevents access. 

Solution

This issue can be resolved by ensuring both the Agent Root URL for CDSSO and CDSSO Redirect URI are set correctly. AM 6.5.2.2 and later correctly sets the CDSSO Redirect URI without the extra forward slash.

Agent Root URL for CDSSO

Ensure the root URL for CDSSO is set to the redirection URL in the following format: protocol://host:port/. For the example URL shown in the Symptoms section, you would specify the following root URL:

http://host2.example.net:80

You can set the root URL for CDSSO using either the console, Amster or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > Global > Agent Root URL for CDSSO and specify the redirection URL.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: WebAgents
    • Property: cdssoRootUrl
  • ssoadm: enter the following command:
    $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a sunIdentityServerDeviceKeyValue[0]=agentRootURL=[redirectionURL]
    replacing [realmname], [agentname], [adminID], [passwordfile] and [redirectionURL] with appropriate values.

CDSSO Redirect URI

The URI should not start with a forward slash, for example, the default value is:

agent/cdsso-oauth2

If it starts with a forward slash (for example, /agent/cdsso-oauth2), you will need to remove the forward slash using either the console, Amster or ssoadm: 

  • Console: navigate to: Realms > [Realm Name] > Applications > Agents > Web > [Agent Name] > SSO > CDSSO Redirect URI and remove the / at the start of the URI. 
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: WebAgents
    • Property: com.sun.identity.agents.config.cdsso.redirect.uri
  • ssoadm: enter the following command:
    $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.sun.identity.agents.config.cdsso.redirect.uri=[redirectURI]
    replacing [realmname], [agentname], [adminID], [passwordfile] and [redirectURI] with appropriate values.

See Also

redirect_uri_mismatch error occurs when using AM/OpenAM (All versions) as an OAuth 2.0 / OpenID client or provider

Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)

Agents and policies in AM/OpenAM

User Guide › Configuring Global Properties

User Guide › Request Process Flow

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15363 (Redirect_uri_mismatch error occurs in Agent 5.x after upgrading from OpenAM 13.5.0 to AM 6.5.2)

AMAGENTS-1538 (document redirect_uri_mismatch )

OPENAM-12531 (Running webagent 5.0.0 against OpenAM 5.5.1 which is upgraded from previous version will result in segmentation fault or crash)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...