Skip to content

Error in redirect_uri?

Created by: LucasCioffi

Gemfile:

gem 'omniauth-google-oauth2'

Gemfile.lock:

    omniauth-oauth (1.1.0)
      oauth
      omniauth (~> 1.0)
    omniauth-oauth2 (1.4.0)
      oauth2 (~> 1.0)
      omniauth (~> 1.2)

    omniauth-google-oauth2 (0.2.8)
      addressable (~> 2.3)
      jwt (~> 1.0)
      multi_json (~> 1.3)
      omniauth (>= 1.1.1)
      omniauth-oauth2 (>= 1.1.1)

The gem was working for about 2 years and this week I'm seeing this error in my production log when a user attempts to sign in via Google:

Started GET "/auth/google_oauth2/callback?state=321&code=4/ABCDEF" for [ip address] at 2016-01-07 18:03:06 +0000
2016-01-07T18:03:06.491015+00:00 app[web.2]: (google_oauth2) Callback phase initiated.

(google_oauth2) Authentication failure! invalid_credentials: OAuth2::Error, redirect_uri_mismatch: 
{
  "error" : "redirect_uri_mismatch"
}

When the user gets to the Google page, this is the URL in the browser's address bar (which I believe is generated by the gem):

https://accounts.google.com/AccountChooser?continue=
https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth%3Faccess_type%3Doffline%26scope%3Demail%2Bprofile%26response_type%3Dcode%26redirect_uri%3D
https%3A%2F%2Fmysite.com%2Fauth%2Fgoogle_oauth2%2Fcallback%26state%XYZ%26client_id%123.apps.googleusercontent.com%26hl%3Den%26from_login%3D1%26as%3D-ABC&btmpl=authsub&hl=en

Here is the URL un-encoded:

https://accounts.google.com/AccountChooser?continue=
https://accounts.google.com/o/oauth2/auth?access_type=offline&scope=email+profile&response_type=code&redirect_uri=
https://mysite.com/auth/google_oauth2/callback&state=XYZ&client_id=123.apps.googleusercontent.com&hl=en&from_login=1&as=-ABC&btmpl=authsub&hl=en

Is there an error in the generated URL? Should the URL include callback&state= or callback?state= or is there some other problem? The log shows a ? rather than a & so maybe Google swaps them out when it processes the request and sends it back to my server.

In my Google developer console, I have this:

Authorized redirect URIs:
("Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address.")

https://mysite.com/auth/google_oauth2/callback
http://mysite.com/auth/google_oauth2/callback