• Re: Invalid redirect uri

    I was having this problem about 18 months ago while working on a different part of the application. Now I am trying to do a passwordless to a gmail account and i am getting

      "error" : "invalid_request",
      "error_description" : "Invalid redirect uri",
      "error_reason" : "invalid_redirect_uri"

    At the tim ethe answer was that the email client that I was using for testing was mangling the email. But now I am using gmail. Can't be much more common than that!

    I don't see anything wrong with that uri. When I copy it and paste it into the browser it seems to work fine (except for missing some data, that I will take care of). In this case I am using a gmail account. 18 months ago there was a bug dealing with pre-fetch (see previous topic). Was that ever solved?

  • @richb201 said in invalid_redirect_uri:

    Dan, can you give me a hint on how to debug this? Is there a log somewhere that will tell me why this is failing? I am running under docker. Is Github the proper place to ask this?

  • @richb201 this is the right spot to ask.

    What does the list of redirect uris look like in your Application OAuth tab? For security reasons, you need to list every possible redirect_uri in full, so if it doesn't have the URL starting with, you'll need to add that.

  • This post is deleted!

  • @dan The info popup on that page says that if left empty, all addresses are accepted.

  • Is there a consultant I could hire to help me get this aspect of passwordless working? This is Docker.

  • @richb201 said in invalid_redirect_uri: is not equal to, that is why you are seeing the error. (or at least one reason).

    Ensure that when you begin the Authorization code grant, you pass in redirect_uri= The error would indicate that the http:// prefix is being omitted.

  • @richb201 Feel free to post your desire to hire a consultant in the Jobs category:

  • @dan Thanks Dan. I really just need 2 mins of support. Can you tell me what log to look into to see the issue? I have http:// already in the URI.
    Here is what I see in the dockerlog for the fusionAuth container:

    2021-05-06 7:15:54.736 AM WARN  com.zaxxer.hikari.pool.PoolBase - HikariPool-1 - Failed to validate connection com.mysql.cj.jdbc.ConnectionImpl@50b27d35 (No operations allowed after connection closed.). Possibly consider using a shorter maxLifetime value.
    2021-05-06 7:15:54.738 AM ERROR com.inversoft.scheduler.LogAndRetainFailureHandler - The scheduled service [class io.fusionauth.api.service.system.NodeManager] failed but will be re-run.
    ### Error querying database.  Cause: java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 2024ms.
    ### The error may exist in io/fusionauth/api/domain/FusionAuthNodeMapper.xml
    ### The error may involve io.fusionauth.api.domain.FusionAuthNodeMapper.retrieveAll
    ### The error occurred while executing a query

    and a little down the same log file:

    ### Error querying database.  Cause: java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 2022ms.
    ### The error may exist in io/fusionauth/api/domain/KeyMapper.xml
    ### The error may involve io.fusionauth.api.domain.KeyMapper.retrieveAll
    ### The error occurred while executing a query
    ### Cause: java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 2022ms.

    these keep recurring down the page. The only recommendation I see is "Possibly consider using a shorter maxLifetime value".
    Can you tell me where I set this? Is this a fa thing or a ubuntu thing?

    Or could this be that AWS won't accept a connection? Is this an issue for AWS tech support instead?

  • @robotdan said in invalid_redirect_uri:

    You are right! The http:// is missing in one place (for example)

    But I included it in the URI redirect field in the Home/applications/edit uri field (see below) and it appears in other places in the screenshot. How can that be?

    <a rel="nofollow noopener noreferrer" target="_blank" onclick="return window.theMainWindow.showLinkWarning(this)" href=";client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&amp;redirect_uri=;response_type=code&amp;scope=openid&amp;">
    <button style="border:none;color:white;padding:15px 32px;text-align:center;text-decoration:none;font-size:16px;margin:4px 2px;cursor:pointer;background-color:#008CBA;">
    Click Here to Login!

    In looking at the text of the passwordless login email above I see that the http// is missing! But as I showed you in a screenshot below it is in the proper place. What is cutting it off? Has anyone else had this issue?
    Screenshot from 2021-05-06 10-18-03.png

  • @robotdan here is the email template. Looks to me to have the http://.

    <meta charset="UTF-8">
    <!doctype html>
      <img src="" alt="img" />
      <p>To log into ResearchStudyOnline please click the link.</p>
      [#setting url_escaping_charset="UTF-8"]
      [#-- The optional 'state' map provided on the Start Passwordless API call is exposed in the template as 'state' --]
      [#assign url = "${code}?tenantId=${user.tenantId}" /]
      [#list state!{} as key, value][#if key != "tenantId" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]
    <a href="${url}" target="_blank">
    <button style="border: none;
    color: white;
    padding: 15px 32px;
    text-align: center;
    text-decoration: none;
    font-size: 16px;
    margin: 4px 2px;
    cursor: pointer;
    background-color: #008CBA;">
    Click Here to Login!

  • @richb201,

    Some of this you may have tried, but could be worth double-checking:

    1. Have you tried running your FreeMarker template through a linter to make sure there are no errors that might explain some of the behavior you are seeing?
    2. Have you tried printing the full URL on your server (in a debug-like puts/print statement) to verify the presence or absence of an HTTP schema in the link and that the link is not broken?
    3. Does the Freemarker template appear as you would like it to when you "preview" (there is a preview button there) the template in FusionAuth under the themes section?

    At the moment, I don't have any other suggestions but will post back here once something else comes to mind.


  • Thanks. From a post by robotdan to another user:

    Hi @forenheith can you confirm you have configured your redirect URI in FusionAuth?

    The Redirect URI will be the URL of your application that will handle the response from the Authorization request. If the value you send in the redirect_uri parameter is not registered with FusionAuth you will receive the invalid_redirect_uri error as you're seeing.

    what does this mean?
    "If the value you send in the redirect_uri parameter is not registered with FusionAuth you will receive the invalid_redirect_uri error as you're seeing."

    Where would I register my Redirect URI? I already have it registered in
    Redirect URI as can be seen here. But I get the feeling that he is talking about registering it somewhere else?
    ![Screenshot from 2021-05-14 02-34-57.png](/community/forum/assets/uploads/files/1620974176507-screenshot-from-2021-05-14-02-34-57.png
    Screenshot from 2021-05-14 02-34-57.png

    I did find this:
    redirect_uri [String] REQUIRED
    The URI to redirect to upon a successful request. This URI must have been configured previously in the FusionAuth Application OAuth configuration. See Applications in the FusionAuth User Guide for additional information on configuring the redirect URI.

    Where would that be done??

    I also found this in rfs6749
    If a redirection URI is provided in the request, the authorization server MUST validate it against the registered value.

    BUT where do I register this?

  • Hi @richb201

    The redirect URL, for OAuth, should only need to be set/registered on this screen for your Application.


    I hope this helps!


  • Yes, that is where I have it. I think it is a bug.

Log in to reply

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.