Google OAuth2 Integration - Invalid parameter value for redirect_uri: Missing scheme

Question

Even though I read a numerous duplicate issues here on Stackoverflow, still can't figure out for the life of me what I'm doing wrong.

Problem: I successfully receive an authorization code from, but when I request an access token using this code I get the following error:

{
  "error": "invalid_request",
  "error_description": "Invalid parameter value for redirect_uri: Missing scheme: http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback"
}

Configuration:

• I use http://localhost:3030/google/oauth2/callback as a callback URL

• It's setup in the google developer console:

• This is a "raw curl" request that I send to obtain a token:

  curl --location --request POST 'https://oauth2.googleapis.com/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'code=4%2F0AY0e-g6zyewnsWjPEXoxZWawsp1E634ZlefYoBeYO1nXxBwjPQNCGVf7SGb4MxfNcjUApw' \
  --data-urlencode 'redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback' \
  --data-urlencode 'client_id=....' \
  --data-urlencode 'client_secret=....' \
  --data-urlencode 'grant_type=authorization_code'
  

  P.s. as you can see I "UrlEncoded" redirect_url as well as code since it does contain slashes. To be on the same side, I tried to encode client_id, client_secret and grant_type as well, but since they only contain ASCII characters they came out the same.

What I have done:

• Researched through similar problems on SO: jenkins issue, ios issue, php issue, missing http issue,nodejs issue - similar to this one followed up by discussion, this, that, and all other ones present here - will omit them for brevity.

• I've tried to set

  • http://localhost/google/oauth2/callback:3030 as well as
  • http://127.0.0.1:3030/google/oauth2/callback and
  • http://127.0.0.1/google/oauth2/callback:3000 (although specifying a port in the end is super weird and changing localhost to 127.0.0.1, but was suggested in one of the similar threads), none of these worked.

• Read all the docs from google

• Played with OAuth2 Playground (where it works obviously), but doesn't work for me

• Tried multiple variations for body + different content types the same problem, but sometimes I also get

  {
    "error": "invalid_grant",
    "error_description": "Bad Request"
  }
  

Any help would be appreciated.

Answer 1

After some time I was able to successfully obtain a token. Turns out that I didn't craft request to Google API correctly. Also, for the "curl" request it should be --data rather than --data-urlencode. The following request worked for me:

curl --request POST \
  --url https://oauth2.googleapis.com/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data code=4%2F0AY0e-g4TLGE7c7VyMe8-95baQzeh0uERiKuGnHG5Sqccb4MCsmJOzV_a2jSbI9bm62VZ6Q \
  --data redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback \
  --data client_id=********* \
  --data client_secret=********* \
  --data grant_type=authorization_code

or

curl --request POST \
  --url https://oauth2.googleapis.com/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'code=4%2F0AY0e-g4TLGE7c7VyMe8-95baQzeh0uERiKuGnHG5Sqccb4MCsmJOzV_a2jSbI9bm62VZ6Q&redirect_uri=http%3A%2F%2Flocalhost%3A3030%2Fgoogle%2Foauth2%2Fcallback&client_id=*********&client_secret=*********&grant_type=authorization_code'

One more observation: When you test, you can use the authorization code only once (for security reasons). Sometimes even if you send multiple "unsuccessful requests" with the same code, Google's API will reject all subsequent requests with that code (you need to go through the OAuth2 again flow to obtain a new one). The most "frustrating" part that confused me is that the response for the wrong code looks like this:

{
  "error": "invalid_grant",
  "error_description": "Bad Request"
}

instead of being something like "Code is not valid" or "Code has expired".

So, if you encounter an error above it means the request was crafted correctly, but the code is wrong.