"redirect_uri_mismatch" when exchanging access token under "popup" mode

Question

We build our web application and integrate with Google OAuth2 according to this doc Google Identity Services JavaScript SDK

We would like to use "popup" mode, but when trying to exchange access_token with authentication code, /token return error like "

{"error": "redirect_uri_mismatch","error_description": "Bad Request"}"

We have passed the redirect_url param when calling /token, and it is exactly the same one as configured on the credential page.

What's more weird is that when we switch to "redirect" mode, everything works fine. Same client_id, same client_secret, same grant_type, same redirect_uri.

I don't get it, it's like codes generated under redirect and popup mode are treated differently.

Any help? Thanks a lot!

The redirect uri must exactly match one you have registered in Google developer console for your project. The error message should tell you what is missing. Can you post the full error message as well as what you have set in google developer console. — Linda Lawton - DaImTo, Apr 22 '22 at 12:06
@DaImTo This is what I get from Google: {"error": "redirect_uri_mismatch","error_description": "Bad Request"}" — Eric Zheng, Apr 24 '22 at 01:54
@DeltaGeorge I specify the same one in "redirect" mode, in which everything works fine — Eric Zheng, Apr 24 '22 at 01:55
@EricZheng I encountered exactly the same error. Have you found a solution? — sgu, May 11 '22 at 01:20

score 7 · Accepted Answer · answered May 24 '22 at 15:14

7

Set the redirectUri in the OAuth2 client to "postmessage" to indicate that you've already sent the message.

It's an undocumented feature.

Google OAuth redirect_uri_mismatch when exchanging one-time-code for refresh token

answered May 24 '22 at 15:14

D.Cam

131
4

1

man, you really saved me! It works – Eric Zheng May 27 '22 at 15:14
i have been trying this but for some reason , it just doesn't work :/ – Tarun Rawat Jul 31 '23 at 13:59

Delta George · Answer 2 · 2022-04-24T06:11:05.667

2

As per doc you referenced, Google is not expecting a refirect_url in popup mode. Google will not send a redirect. Instead it will return auth code directly to your callback and the callback will have to send it to your server.

edited Apr 24 '22 at 06:11

answered Apr 24 '22 at 06:03

Delta George

2,560
2
17
11

1

Yes, but `redirect_url` is required when exchanging access_token with code – Eric Zheng Apr 24 '22 at 08:02
That is true.I am away from my laptop atm to try. Perhaps the library you are using sends another parameter that removes that requirement. Another option is to send an empty one, perhaps. – Delta George Apr 24 '22 at 08:09
@EricZheng that depends upon the grant type actually. Popup probably has an internal redirect uri set. – Linda Lawton - DaImTo Apr 24 '22 at 09:56
1

@DaImTo I have tried both sending an empty one and removing `redirect_url`, still don't work. What do you mean by "has an internal redirect uri set" ? I have also tried specifying "postmessage". – Eric Zheng Apr 28 '22 at 01:18

"redirect_uri_mismatch" when exchanging access token under "popup" mode

2 Answers2

Linked