Google oauth subdomains

Question

I have implemented Google oAuth on the site (example.com). Everything works fine except auth from subdomains on my site(I have a thousands of subdomains). When the user tries to authorize via subdomain, for example

fr.example.com
product1.example.com
product2.de.example.com

I receive an error from Google -

The redirect URI in the request did not match a registered redirect URI

How it could be solved ?

KajMagnus · Answer 1 · 2015-07-10T19:38:37.157

14

The other answers have already clarified that the cause of the troubles is that Google's OpenAuth doesn't support wild card sub domains. However, what you're asking is how can it be solved? Well, you have two choices, according to this email thread:

Provide a single OAuth2 handling endpoint for all subdomains. That is, you'd have a main domain and endpoint, via which you do authentication also for the sub domains. When done authenticating, you redirect back to the sub domain. There's supposedly an OpenAuth state parameter, in which you can encode the sub domain name. This is what I did, here's the code: https://github.com/debiki/debiki-server/blob/master/app/controllers/LoginWithOpenAuthController.scala
You can have each sub domain register independently with Google.

Which option you'll choose depends on which brand the Google users are asked to approve. The main domain, or a sub domain?

edited Jul 10 '15 at 19:38

answered Jul 19 '14 at 08:01

KajMagnus

11,308
15
79
127

1

"You can have each sub domain register independently with Google" How? – Jon Abrams Jul 10 '15 at 17:54
As far as I remember, when you configure OpenAuth in Google Developer Tools, you also specify a OpenAuth endpoint at your server. Then, list the sub domains you'd like to use, e.g.: `https://sub.domain.com/authenticate/google`, `https://sub2.domain.com/authenticate/google` and so on. Which might be complicated if you need to do this automatically. I don't know if Google has any API for automatically adding OpenAuth endpoints. – KajMagnus Jul 10 '15 at 19:00
2

I didn't do that however. Instead, when a user is on `*.domain.com`, e.g. `sub5.domain.com`, I redirect him/her to `login.domain.com` and login via that domain. So the only endpoint I've listed in Google OpenAuth is `https://login.domain.com/authenticate/google`. And when someone logs in, Google always ask if s/he wants to trust *that* domain, not `sub5`. Via cookies and a server side cache and redirects, I then ensure the user gets logged in at `sub5`. – KajMagnus Jul 10 '15 at 19:02
Please add a +1 to the issue tracker if you need subdomain or api support https://issuetracker.google.com/issues/35898945 – squirtgun Jul 31 '22 at 13:37

score 12 · Accepted Answer · answered Jun 21 '14 at 14:20

12

That's because Google's OAuth does not support wildcard subdomain matching. You can refer to more documentation here

answered Jun 21 '14 at 14:20

anfab

1,636
11
15

The linked page doesn't mention subdomains; do you remember where you read that Google's OAuth doesn't support subdomains? – KajMagnus Jul 19 '14 at 07:20
2

@KajMagnus It does support subdomains, just not wild card subdomain matching. Essentially the redirect_uri has to exactly match one of the values registered in the developer console. So you can add a bunch of redirect_uri's for your subdomains and it should work. – anfab Jul 19 '14 at 13:50
Thanks. (Wildcard subdomains was what I had in mind.) – KajMagnus Jul 19 '14 at 19:15
3

@anfab Do you know if it's possible to add redirect_uris through the google api, or does it have to be via the web interface? – Michiel de Mare Apr 11 '15 at 11:49
I've also experienced problems with underscores and hyphens in subdomains. Although they are technically valid, the Google OAuth system doesn't seem to permit them in authorized redirect URIs. I've not found anything in the documentation on this. – richplane Sep 02 '15 at 16:23

score 2 · Answer 3 · answered Jun 23 '14 at 06:39

2

The redirect URI must exactly match one of the values listed for this project in the Google Developers Console (including the http or https scheme, case, and trailing '/'). So it will not support sub domains if you don't add them in Developers Console.

answered Jun 23 '14 at 06:39

Owen Cao

7,955
2
27
35

1

For your reference: https://developers.google.com/accounts/docs/OAuth2WebServer#formingtheurl – Owen Cao Jul 21 '14 at 00:40

score 0 · Answer 4 · answered Jun 01 '16 at 11:06

0

That's because Google's OAuth does not support wildcard sub-domain matching .You can redirect the one static page of all sub-domain and after authenticate or get access token of OAuth then you return on your sub-domain page with access token.

answered Jun 01 '16 at 11:06

Raja

1

score 0 · Answer 5 · answered Feb 25 '21 at 08:37

In the Authorized JavaScript origins field, enter the origin for your app. You can enter multiple origins to allow for your app to run on different protocols, domains, or subdomains. You cannot use wildcards. In the example below, the second URL could be a production URL.

http://localhost:8080 or https://myproductionurl.example.com

https://developers.google.com/identity/sign-in/web/server-side-flow

Google oauth subdomains

5 Answers5

Linked

Related