Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

redirect_uri_mismatch error occurs when using AM (All versions) as an OAuth 2.0 or OpenID client or provider

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if you receive a "redirect_uri_mismatch" error (Description: The redirection URI provided does not match a pre-registered value) when using AM as an OAuth 2.0 / OpenID client and/or provider.

1 reader recommends this article

Symptoms

The following error is shown in the browser:

Error: redirect_uri_mismatch Description: The redirection URI provided does not match a pre-registered value.

Recent Changes

Implemented a Social Authentication module (OAuth 2.0 or OpenID Connect 1.0) to make AM an OAuth2 / OpenID client.

Configured AM as an OAuth Authorization Server (with or without the OpenID Connect authentication layer) to make AM an OAuth2 / OpenID provider. In this setup, you would also have configured OAuth 2.0/OpenID Connect Client agents to connect to and use your authorization server.

Added an AngularJS based application to your OAuth / OpenID setup.

Causes

The redirection URI is missing, it contains a fragment (#) (which is against the OAuth2 standard) or the redirection URI parameter being sent does not match the one registered for your client.

The default routing mode in AngularJS is hashbang (#!), which includes these fragments in the redirection URI.

Solution

This issue can be resolved by ensuring the redirection URI is the same in both the client and provider, and the endpoint URI does NOT contain a fragment per RFC 6749. If a fragment is unavoidable, you can try URL encoding it.

Refer to the following subsections depending on what you are trying to achieve and your AM version:

Note

If you have multiple attribute values for ssoProxyUrl or iplanet-am-auth-oauth-sso-proxy-url when changing the redirection URI via ssoadm you can use -D [datafile] instead of -a to add the attribute values from a file. See How do I add multiple attributes with a single ssoadm command in AM (All versions)? for further information.

Changing the redirection URI if AM is the OAuth client

You can change the redirection URI at the global or realm level if AM is the OAuth client using either the AM admin UI or ssoadm:

  • Global level:
    • AM admin UI: navigate to: Configure > Authentication > Social Auth OAuth2 > Proxy URL and specify the redirection URI.
    • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthSocialAuthOAuth2Service -t organization -u [adminID] -f [passwordfile] -a ssoProxyUrl=[URI]replacing [adminID], [passwordfile] and [URI] with appropriate values.
  • Realm level:
    • AM admin UI: navigate to: Realms > [Realm Name] > Authentication > Modules > [Social Auth OAuth2 Module] > Proxy URL and specify the redirection URI.
    • ssoadm: enter the following command: $ ./ssoadm update-auth-instance -u [adminID] -f [passwordfile] -e [realmname] -m [modulename] -a ssoProxyUrl=[URI]replacing [adminID], [passwordfile], [realmname], [modulename] and [URI] with appropriate values.

Changing the redirection URI if AM is the OpenID client

You can change the redirection URI at the global or realm level if AM is the OpenID client using either the AM admin UI or ssoadm:

  • Global level:
    • AM admin UI: navigate to: Configure > Authentication > Social Auth OpenID > Proxy URL and specify the redirection URI.
    • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthSocialAuthOpenIDService -t organization -u [adminID] -f [passwordfile] -a ssoProxyUrl=[URI]replacing [adminID], [passwordfile] and [URI] with appropriate values.
  • Realm level:
    • AM admin UI: navigate to: Realms > [Realm Name] > Authentication > Modules > [Social Auth OpenID Module] > Proxy URL and specify the redirection URI.
    • ssoadm: enter the following command: $ ./ssoadm update-auth-instance -u [adminID] -f [passwordfile] -e [realmname] -m [modulename] -a ssoProxyUrl=[URI]replacing [adminID], [passwordfile], [realmname], [modulename] and [URI] with appropriate values.

Changing the redirection URI if AM is the provider

You can change the redirection URI if AM is the provider using either the AM admin UI or ssoadm:

  • AM admin UI: navigate to Realms > [Realm Name] > Applications > OAuth 2.0 > [Client ID] > Redirection URIs and specify one or more valid redirection URIs.
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [clientname] -u [adminID] -f [passwordfile] -a com.forgerock.openam.oauth2provider.redirectionURIs[0]=[URI]replacing [realmname], [clientname], [adminID], [passwordfile] and [URI] with appropriate values. You can add as many redirection URIs as required by adding multiple com.forgerock.openam.oauth2provider.redirectionURIs [n] properties separated by a space and ensuring the [n] increments for each additional redirection URI. For example: com.forgerock.openam.oauth2provider.redirectionURIs[0]=https://am1.example.com:443/%23/app com.forgerock.openam.oauth2provider.redirectionURIs[1]=https://am2.example.com:8443

If multiple redirection URIs are registered, the client must specify the URI that the user should be redirected to following approval.

Note

You must ensure both the client and provider use the same redirection URI. If AM is being used for both the client and provider, you should set the same URI in both places as detailed above.

URL encoding the endpoint URI

You can try URL encoding the endpoint URI if a fragment is unavoidable, for example, a URL that currently looks like:

https://am.example.com:8443/#/app

should be changed to:

https://am.example.com:8443/%23/app
Note

URL encoding does not always work if you have an AngularJS based application, as AngularJS needs the # to route internally. You can work around this by having a redirection URI without the fragment; for example, a jsp page, which interprets the request and appends the required #/<route> to the URI before it gets to your application or something like IG; IG cannot intercept # fragments either, so it needs to intercept requests without #.

See Also

OAuth 2.0 Authorization Framework RFC 6749 (Section 3.1.2.2) Registration Requirements

OpenID Connect Core 1.0 - Redirect URI Fragment Handling Implementation Notes

OAuth 2.0

OpenID Connect 1.0

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.