invalid_redirect_uri
-
@robotdan Thanks. I have the raw email message, I just don't know how to see what is wrong with it.
Received: from 10.196.216.85 by atlas319.free.mail.bf1.yahoo.com with HTTPS; Fri, 14 May 2021 11:19:49 +0000 Return-Path: <010001796a9a9e93-d880d840-8578-4fbf-9cfa-e2fe054e3986-000000@amazonses.com> X-Originating-Ip: [54.240.8.241] Received-SPF: pass (domain of amazonses.com designates 54.240.8.241 as permitted sender) Authentication-Results: atlas319.free.mail.bf1.yahoo.com; dkim=pass header.i=@amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; spf=pass smtp.mailfrom=amazonses.com; dmarc=unknown header.from=substantiator.com; X-Apparently-To: richardbernstein216@yahoo.com; Fri, 14 May 2021 11:19:49 +0000 X-YMailISG: RuEN7foWLDu9BhoVg1_uj0ZIWl3MAsheSKU0V8Ov.9FsKaEX xrAAWNrr8D1StRJTu4elf71kfaBhc1I7eqUJQeUplY6XYN2XU_.96BEgIcp7 RpVKGE3QaznUrFboVsXtT8Esf6tChUHtXHOvSDcq1ySeDEUvWaBJX6BZDzmB 7QFLHvkF6k2Fa21vy3yb3y_hdPGc.RpjQM2Xu6PzcS9s0fl8BXFwt7vQyDkC aNAnTmgPibrFvftqKxhMA018R_fa3OD_1Cx2ymowL_lPOvOwYlxzlYiHp6gB B.AMbM6eMtNX4_NfaS0MzcHIgbCZ342fWVIkx8QH5kFm8pkPp7.7OGhC4xQl lrIA8fxMJ5bALaPN2pfzkjn0a_TmU5cveMbVDIM7PdNPyTTYpgN8h6OCVoBm lCW66qZpuHBB8BndOg2cPsr1S_JEJjYtOp4.QW7Hi5.ngcr_w0SpnMuY4ob6 cuJEDKW_eHrN30geb0bgmveRT84g8.gZ1y8wuNjnYrBZDGJWhrzAq2aYLwvT DGhByPAxUDIN.eE.fL5T7kbHZEPn3zeIUV9vCvpdsYPSXMChhHG73A1FfoJW 9KjMNrTt.7SuyIG85b_PcMMn6cDtyEtNxliEeXWwIw4UWpXBlqZk_7J9FKkM da_IJmf8Nk5.RhZgV6s_z.2ldeHlmN_RfWdF3eQU8sd5n.29OrUowXSLQ2VA JEZP3ztIIFPWxBJ9onafe3F1PBoefTPAmufC2hYXpwFBTkINJdmRId2672Oq U21ZQgq2341SN0Kb5Dv1lAQ5Db9Cd3VHx8_QGZ.AOl15P9orL5bKzsn33H4i McPP1HsY_japIFdCy5EukFBStpirGhneoY5vW6PfEBTEd2USnLpSuWd8KHzu tv9cI6vVVJISkmW0FSD5pY5TKdYLrU1vFmR9SLZ7CbhlEIV3_LMnNAl_7Z6y mgYdNrD0qGojogB8zAtL8r78Wz8kgiDV4_UB5UNJ5rJypqmBfCkG..iOF8NT YvTPgjG_oPTHc0_TakpvQ0v9Tm3p3G20Gy9xhDuawxOq445JgJCE6mx_AfN8 SlVtKizLp1GwcmzwVkZO8X_E1DZqRXegeJ86KoO.mIAkFb7pkStYgAbY1zny _uDaWSqRUzLsPZz4bTJM5wyqWYrl4DwmZ73C6wnw6AFA9kiJE4x1PvFKlA-- Received: from 54.240.8.241 (EHLO a8-241.smtp-out.amazonses.com) by 10.196.216.85 with SMTPs (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256); Fri, 14 May 2021 11:19:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1620991188; h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date:Feedback-ID; bh=HSdZTCdopKudE7gQLvMd7mhFaDyjWsxy1D6lCGlaXGg=; b=hJFNKihjTNSqR9HTquZmBuIEobuvLlQP02ypaee/aHylzTlFsJq55u+2vK+u/OGE /tyfh3hqWOyCy0CpwkEQsjX8Xv9I/YHz+sB1mqIxDhwse7LPzqZ+Kd9VmVkKqAJaSil xiI/dTVkV/Dhayive7Dc4YdTtyRdgc3+eu3JX1NU= From: admin <admin@substantiator.com> To: richardbernstein216@yahoo.com Message-ID: <010001796a9a9e93-d880d840-8578-4fbf-9cfa-e2fe054e3986-000000@email.amazonses.com> Subject: Login MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_10_107303501.1620991187686" Date: Fri, 14 May 2021 11:19:48 +0000 Feedback-ID: 1.us-east-1./ToaGAJxWOVHrr4y6A5cU9krmMVcIKDbUUm+IkkffcM=:AmazonSES X-SES-Outgoing: 2021.05.14-54.240.8.241 Content-Length: 1850 ------=_Part_10_107303501.1620991187686 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit <body> <img src="35.153.28.164/assets/themes/default/images/Logo - Research Study Online-01.jpg?w=640" alt="img" /> <div> <a href="http://fusionauth.ngrok.io/oauth2/passwordless/YZKTNV6VE0VGJ9e_mKuWLjtokNtS44FcAvEM5kTG9Jk?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&redirect_uri=35.153.28.164%2Findex.php%2FConfigure%2Freport_generator_amazing&response_type=code&scope=openid&state=richardbernstein216%40yahoo.com" target="_blank"> <button style="border: none; color: white; padding: 15px 32px; text-align: center; text-decoration: none; font-size: 16px; margin: 4px 2px; cursor: pointer; background-color: #008CBA;"> Click Here For Survey! </button> </a> </div> </body> ------=_Part_10_107303501.1620991187686 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <meta charset="UTF-8"> <!doctype html> <body> <img src="http://35.153.28.164/assets/themes/default/images/Logo%20-%20Research%20Study%20Online-01.jpg?w=640" alt="img" /> <p>To log into ResearchStudyOnline please click the link.</p> <div> <a href="http://35.153.28.164:9011/oauth2/passwordless/YZKTNV6VE0VGJ9e_mKuWLjtokNtS44FcAvEM5kTG9Jk?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&redirect_uri=35.153.28.164%2Findex.php%2FConfigure%2Freport_generator_amazing&response_type=code&scope=openid&state=richardbernstein216%40yahoo.com" target="_blank"> <button style="border: none; color: white; padding: 15px 32px; text-align: center; text-decoration: none; font-size: 16px; margin: 4px 2px; cursor: pointer; background-color: #008CBA;"> Click Here to Login! </button> </a> </div> </body> ------=_Part_10_107303501.1620991187686--
This one is using ngrok, just so I can test on my laptop.
-
Here is the
redirect_uri
in the email:&redirect_uri=35.153.28.164%2Findex.php%2FConfigure%2Freport_generator_amazing
This needs to be be
&redirect_uri=http://35...
-
@robotdan Yes, I know that needs to have http:// but I think I have it already!. Where do I specify that. Here is the application setup and you can see it there.
and here is the email template:
<meta charset="UTF-8"> <!doctype html> <body> <img src="http://35.153.28.164/assets/themes/default/images/Logo%20-%20Research%20Study%20Online-01.jpg?w=640" alt="img" /> <p>To log into ResearchStudyOnline please click the link.</p> [#setting url_escaping_charset="UTF-8"] [#-- The optional 'state' map provided on the Start Passwordless API call is exposed in the template as 'state' --] [#assign url = "http://35.153.28.164:9011/oauth2/passwordless/${code}?tenantId=${user.tenantId}" /] [#list state!{} as key, value][#if key != "tenantId" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list] <div> <a href="${url}" target="_blank"> <button style="border: none; color: white; padding: 15px 32px; text-align: center; text-decoration: none; font-size: 16px; margin: 4px 2px; cursor: pointer; background-color: #008CBA;"> Click Here to Login! </button> </a> </div> </body>
It also has the http://
-
@richb201 I think I got it. There was a line in my code that was missing the http://. Thanks.
Now that I got that working, I do want to pass in the user's email address to the redirect uri. Is there an easy way to do that?
I have set $request["state"]["state"] = "$email" prior to doing the fusion doing the auth, so how do I get "state" inside my application? -
Can you provide a bit more context on why you want to do this on a URI? I am not sure what you want to store in "state".
The "state" variable, as I understand it, is available only on the forgot password FTL templates (doc, using the API, but the description is still applicable to your OAuth setup here)
My first thought was, perhaps you want to store "state" on a custom user data point and just query the user object when needed? But might need some more information to assist further.
Thanks,
Josh -
Hi. I actually want to pass in this user's email address to I can use it when I query my database to find the rest of his data. Can I do this without having to pass the email address manually?
-
If you are using the OAuth protocol, you should have access to this information.
I would try accessing the
userinfo
endpoint. The only requirement to get this information is the access token obtained through the OAuth process.https://fusionauth.io/docs/v1/tech/oauth/endpoints#userinfo
I hope this helps!
Thanks,
Josh -
OK I found:
retrieveUserInfoFromAccessToken($encodedJWT)What is the JWT?
This is how I am getting back to a method in my application:
http://35.153.28.164/index.php/Configure/passwordless_entry
Will the JWT come in a $_GET or a $_POST in that method, passwordless_entry?
-
https://fusionauth.io/learn/expert-advice/oauth/modern-guide-to-oauth/#tokens covers the use of JWT's.
https://fusionauth.io/docs/v1/tech/guides/passwordless/
covers how to set up Passwordless within FusionAuth. It also covers how this workflow handles JWT's.https://fusionauth.io/docs/v1/tech/apis/passwordless/#complete-a-passwordless-login
The Passwordless API.I hope that helps!
Josh
-
My user is getting the email that they can log in. Here is the raw email that the user is getting:
Received: from 10.253.233.84 by atlas107.free.mail.gq1.yahoo.com with HTTPS; Tue, 15 Jun 2021 13:39:59 +0000 Return-Path: <0100017a0fe672e1-2da23800-1edd-4c6e-9141-d233317fb630-000000@amazonses.com> X-Originating-Ip: [54.240.48.39] Received-SPF: pass (domain of amazonses.com designates 54.240.48.39 as permitted sender) Authentication-Results: atlas107.free.mail.gq1.yahoo.com; dkim=pass header.i=@amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; spf=pass smtp.mailfrom=amazonses.com; dmarc=unknown header.from=substantiator.com; X-Apparently-To: richardbernstein219@yahoo.com; Tue, 15 Jun 2021 13:40:00 +0000 X-YMailISG: epGYStgWLDsWCq8pwIiTpGmtjoQrowrDPq9_3kwcKGZjFa2K an3s2H5MXNzeyAi4rGZAwWZcxtQooNv4lQDVsQyf_7S_tb_8j7zo4fy9usni yt.gFIFUAZQX04r9L7krXtPy.S6SY89ecopiN.8Z7eQn32Js3MC49OVEWBjD VNZFHEF6YRi2Pp8d3mZ3s7WyfkZqSGtb0AHovLlrvVU8wYEc45a_AkQYb2FP iXsH_ayxD4meychffezPfraH7o6acCPhlQQ8uzJ2Lq5i9RXfKyHPRXR9vK_2 zHJfJKLMqJW.q2ruRbtTIRdbg4dcM.xpVmfA6OVeCwAYOCsqxwl_tzyHcDN. aCbmMZVkji4efE8ie2Tl_qcKkdXgEjf6DgwWwrZ1rcozSywcvjpQJ2MH9tY6 b36wUZoCKi70cNYKf0VyYV3HgGrbhraj5VVIWz2pL8YsBYmA6F2RQkT.tMVh svLRVLpa7WQUffbFSx56XHEHZ0aZPBjj7IlwZD0VCI0gHXLriSVYd8UCWlGF Xa0NxEh6Gfn6ZsCXXCyV8CJGIr07PhzxkSkKNOBxdiHCRr4gGRkfFAcX09E9 6fH49yQycp0IBLG4bqMEXODX_jV3MtuzwlYFXN2AlO9GPf.BEbRDWsr7pekr x6Kb4NOeUzYxYZqXLt6e3OwdNLqm_vL0ouJcE1H4QzlChJCKh.oNWwlPG3Jp Df7Sehmw4kr0_GqMD3jltOgSOaWPbyq5loM4_GQ2WBSDcwRdATILDYftFTHd _sJST.PQ8MNWhjkhNolqcIoZLCQFmaywlupScahbaX9_u.KKePOTRa7N9GIu alOw3zSzgSjMV7M_IheYH1pfYHpenhr5Ix5W8sgh7N7y7vmTFJHa6Idpb74N LnN4Lq82dqqblfRxAuj02_9zCdO5bEUEWgWzIyIH39SH6x90WXYNmlq7fDC3 CcPVCvGE4C1SlEEKTw.Rwan28xhjt5XDGx5nFnH7sv5CSJBM7Am5FcSchaBs iBRa1elODLiFqzz2bzfyNWkUE8qMg0jFAOAqeYBQfwH_RqJhF1KYxE8ByWIO ZK2UAq7HzC.vUoMTu9WrCMRAhRYNXojDz49jSnYE0JJqCPNLAQlSS5CiRkYq NuxfzAkTqp8SulZHnQsc0t8LAON79HLeBFgZ2PRhaC3hhvDZP.aPcA.s Received: from 54.240.48.39 (EHLO a48-39.smtp-out.amazonses.com) by 10.253.233.84 with SMTPs (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256); Tue, 15 Jun 2021 13:39:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1623764398; h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date:Feedback-ID; bh=T038Z0UwMACvG/0gtmtv6+gtfNJaQNFP1pWDpWOlJc8=; b=cfbsFJ50qkHtfbJ0PhX6ZVmobnhNebMyR8ddQ70Is9zzAY5KgHFPwUUpBAE8jYgy kCkcuDevKqiyXjAOG5O3DKf/Gw1saWX8vaWMLGB53Zm/ai6BuWAixYWvZ/0qeZh/eqd PTIqXg1Wm34VRiL/vtcxqR7ImQy8NHPWD9B8lovk= From: admin <admin@substantiator.com> To: richardbernstein219@yahoo.com Message-ID: <0100017a0fe672e1-2da23800-1edd-4c6e-9141-d233317fb630-000000@email.amazonses.com> Subject: Login MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_18_571959732.1623764397561" Date: Tue, 15 Jun 2021 13:39:58 +0000 Feedback-ID: 1.us-east-1./ToaGAJxWOVHrr4y6A5cU9krmMVcIKDbUUm+IkkffcM=:AmazonSES X-SES-Outgoing: 2021.06.15-54.240.48.39 Content-Length: 1908 ------=_Part_18_571959732.1623764397561 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit <body> <img src="35.153.28.164/assets/themes/default/images/Logo - Research Study Online-01.jpg?w=640" alt="img" /> <div> <a href="http://fusionauth.ngrok.io/oauth2/passwordless/gXw-s8GL7gQpSkWTrdjnsFKExLfAuwIt3dErPkR2IEQ?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&redirect_uri=http%3A%2F%2Fsubstantiator-survey.ngrok.io%2Findex.php%2FConfigure%2Freport_generator_amazing&response_type=code&scope=openid&state=richardbernstein219%40yahoo.com" target="_blank"> <button style="border: none; color: white; padding: 15px 32px; text-align: center; text-decoration: none; font-size: 16px; margin: 4px 2px; cursor: pointer; background-color: #008CBA;"> Click Here For Survey! </button> </a> </div> </body> ------=_Part_18_571959732.1623764397561 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <meta charset="UTF-8"> <!doctype html> <body> <img src="http://35.153.28.164/assets/themes/default/images/Logo%20-%20Research%20Study%20Online-01.jpg?w=640" alt="img" /> <p>To log into ResearchStudyOnline please click the link.</p> <div> <a href="http://35.153.28.164:9011/oauth2/passwordless/gXw-s8GL7gQpSkWTrdjnsFKExLfAuwIt3dErPkR2IEQ?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&redirect_uri=http%3A%2F%2Fsubstantiator-survey.ngrok.io%2Findex.php%2FConfigure%2Freport_generator_amazing&response_type=code&scope=openid&state=richardbernstein219%40yahoo.com" target="_blank"> <button style="border: none; color: white; padding: 15px 32px; text-align: center; text-decoration: none; font-size: 16px; margin: 4px 2px; cursor: pointer; background-color: #008CBA;"> Click Here to Login! </button> </a> </div> </body> ------=_Part_18_571959732.1623764397561--
When they click on the link in the email they get this error from fusionAuth
{ "error" : "invalid_request", "error_description" : "Invalid redirect uri http://substantiator-survey.ngrok.io/index.php/Configure/report_generator_amazing", "error_reason" : "invalid_redirect_uri" }
Is there any better description of the error reporting?
There is one detail I should mention here. The database is on mysql RDS which means that it is located on an AWS server. The user is interacting with the fusionAuth on my laptop. But when the user is being sent to the AWS server (35.153.28,164) to complete the interaction (http://35.153.28.164:9011/oauth2/passwordless) they are interacting with a copy of fusion auth running on the server. I would think (aka assuming) that this is ok since they are using the same dbase, but this is a question for your engineers.The error is showing http://substantiator-survey.ngrok.io which is the laptop is there any rule that the redirect URL and the FA app need to be on the same server?
-
Hi @richb201,
Based on the error description,
http://substantiator-survey.ngrok.io/index.php/Configure/report_generator_amazing
Needs to be configured in the OAuth server (I think this is what you said you were using previously) as your redirect URI (or the link needs to be modified to your redirect URI). Can you confirm that is the case? You can confirm by navigating to
Applications > OAuth > Redirect URI
If you have not changed your OAuth configuration since the last screenshot, it would seem that your redirect is set to
and not
http://substantiator-survey.ngrok.io/index.php/Configure/report_generator_amazing/There is one detail I should mention here. The database is on mysql RDS which means that it is located on an AWS server. The user is interacting with the fusionAuth on my laptop. But when the user is being sent to the AWS server (35.153.28,164) to complete the interaction (http://35.153.28.164:9011/oauth2/passwordless) they are interacting with a copy of fusion auth running on the server. I would think (aka assuming) that this is ok since they are using the same dbase, but this is a question for your engineers.
I am not entirely clear on the question, but if you, for instance, start an OAuth session (login workflow for instance) on a
laptop A browser
you will want to complete the OAuth authorization flow on that samelaptop A browser
. This may be part of your difficulty, but I would confirm the redirect first. We can do some additional troubleshooting if need be.Thanks,
Josh -
I have changed everything to point localhost. I have checked over the ID's and they seem OK. Here is the error I keep getting:
{
"error" : "invalid_request",
"error_description" : "Invalid redirect uri http://substantiator-survey.ngrok.io/index.php/Configure/report_generator_amazing",
"error_reason" : "invalid_redirect_uri"
}Here is the code. It sends the email just fine. When the receiver gets it and clicks on the link they get the above error. BTW, I have passwordless working fine in another application with another tenant.
At this point I want to switch over to having a user register with a password and be able to login. Can you point me to the proper Guide? I am looking for your basic registration and login. Nothing fancy. I am thinkin that I need to use multi tenant since I have a passwordless app running too. Right?
-
The bottom line is that the error says that the redirect URI is in error.
{
"error" : "invalid_request",
"error_description" : "Invalid redirect uri http://substantiator-survey.ngrok.io/index.php/Configure/report_generator_amazing",
"error_reason" : "invalid_redirect_uri"
}The error should say missing "X-FusionAuth-TenantId"
-
I needed to set $request["X-FusionAuth-TenantId"]=$_SESSION['tenantID_login'];
The documentation says that this is optional. But not in my case. Addendum: I ran it a few times and it worked ok. I went back into FA to change the location of the URL, saved it and again it doesn't work. This is just way too unstable for me to use passwordless w/o having a decent error message. I am going to switch over to passworded login, unfortunately. One more last question. When I get back the "code" do I need to manually convert it to a token, or is this done automatically?
On a regular old password method, I'd only like to allow them to log in if they are already on my email list. I have a way to check that. Is there some way to use a webhook to launch a check (of sendPulse) to make sure they are on my email list?
-
The documentation says that this is optional. But not in my case.
Can you elaborate on where you found this in the doc?
The error should say missing "X-FusionAuth-TenantId"
Can you elaborate on this?
When I get back the "code" do I need to manually convert it to a token, or is this done automatically?
You may want to review our OAuth guide. Using a OAuth2 flow, it is common to have two separate endpoints (
authorize
andtoken
) to obtain access. The "code" is returned from FusionAuth and is used (in conjunction with a few other possible factors) to obtain an access token (in our typescript client, this is theclient.exchangeOAuthCodeForAccessTokenUsingPKCE
function)We do have a few tutorials as well, that show this in action (nodeJS tutorial being one of them)
Lastly, for general housekeeping's sake, this thread is getting a bit long, with a few related posts clumped together. For future questions, if the question is unrelated to the posts immediately above, it might be good to open a new thread.