invalid_redirect_uri

dan

@richb201 this is the right spot to ask.

What does the list of redirect uris look like in your Application OAuth tab? For security reasons, you need to list every possible redirect_uri in full, so if it doesn't have the URL starting with 35.153.28.164, you'll need to add that.

richb201

This post is deleted!

richb201

@dan The info popup on that page says that if left empty, all addresses are accepted.

richb201

Is there a consultant I could hire to help me get this aspect of passwordless working? This is Docker.

robotdan

@richb201 said in invalid_redirect_uri:

35.153.28.164/index.php/Configure/report_generator_amazing

35.153.28.164/index.php/Configure/report_generator_amazing is not equal to http://35.153.28.164/index.php/Configure/report_generator_amazing, that is why you are seeing the error. (or at least one reason).

Ensure that when you begin the Authorization code grant, you pass in redirect_uri=http://35.153.28.164/index.php/Configure/report_generator_amazing. The error would indicate that the http:// prefix is being omitted.

dan

@richb201 Feel free to post your desire to hire a consultant in the Jobs category: https://fusionauth.io/community/forum/category/7/jobs

richb201

@dan Thanks Dan. I really just need 2 mins of support. Can you tell me what log to look into to see the issue? I have http:// already in the URI.
Here is what I see in the dockerlog for the fusionAuth container:

2021-05-06 7:15:54.736 AM WARN  com.zaxxer.hikari.pool.PoolBase - HikariPool-1 - Failed to validate connection com.mysql.cj.jdbc.ConnectionImpl@50b27d35 (No operations allowed after connection closed.). Possibly consider using a shorter maxLifetime value.
2021-05-06 7:15:54.738 AM ERROR com.inversoft.scheduler.LogAndRetainFailureHandler - The scheduled service [class io.fusionauth.api.service.system.NodeManager] failed but will be re-run.
org.apache.ibatis.exceptions.PersistenceException: 
### Error querying database.  Cause: java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 2024ms.
### The error may exist in io/fusionauth/api/domain/FusionAuthNodeMapper.xml
### The error may involve io.fusionauth.api.domain.FusionAuthNodeMapper.retrieveAll
### The error occurred while executing a query

and a little down the same log file:

### Error querying database.  Cause: java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 2022ms.
### The error may exist in io/fusionauth/api/domain/KeyMapper.xml
### The error may involve io.fusionauth.api.domain.KeyMapper.retrieveAll
### The error occurred while executing a query
### Cause: java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 2022ms.

these keep recurring down the page. The only recommendation I see is "Possibly consider using a shorter maxLifetime value".
Can you tell me where I set this? Is this a fa thing or a ubuntu thing?

Or could this be that AWS won't accept a connection? Is this an issue for AWS tech support instead?

richb201

@robotdan said in invalid_redirect_uri:

http://35.153.28.164/index.php/Configure/report_generator_amazing

You are right! The http:// is missing in one place (for example)
redirect_uri=35.153.28.164%2Findex.php%2FC

But I included it in the URI redirect field in the Home/applications/edit uri field (see below) and it appears in other places in the screenshot. How can that be?

<a rel="nofollow noopener noreferrer" target="_blank" onclick="return window.theMainWindow.showLinkWarning(this)" href="http://35.153.28.164:9011/oauth2/passwordless/Hpwfsd2h-82faVz7oFYpX6xg0k43aIFM0d54-ueW7dc?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&amp;client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&amp;redirect_uri=35.153.28.164%2Findex.php%2FConfigure%2Freport_generator_amazing&amp;response_type=code&amp;scope=openid&amp;state=richardbernstein216%40yahoo.com">
<button style="border:none;color:white;padding:15px 32px;text-align:center;text-decoration:none;font-size:16px;margin:4px 2px;cursor:pointer;background-color:#008CBA;">
Click Here to Login!
</button>
</a>

In looking at the text of the passwordless login email above I see that the http// is missing! But as I showed you in a screenshot below it is in the proper place. What is cutting it off? Has anyone else had this issue?

robotdan

@richb201 said in invalid_redirect_uri:

http://35.153.28.164:9011/oauth2/passwordless/Hpwfsd2h-82faVz7oFYpX6xg0k43aIFM0d54-ueW7dc?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&redirect_uri=35.153.28.164%2Findex.php%2FConfigure%2Freport_generator_amazing&response_type=code&scope=openid&state=richardbernstein216%40yahoo.com

It looks missing to me, in your example HTML I see &redirect_uri=35.153.28.164... instead of &redirect_uri=http://35.153.28.164....

richb201

@robotdan here is the email template. Looks to me to have the http://.

<meta charset="UTF-8">
<!doctype html>

<body>
  <img src="http://35.153.28.164/assets/themes/default/images/Logo%20-%20Research%20Study%20Online-01.jpg?w=640" alt="img" />
  <p>To log into ResearchStudyOnline please click the link.</p>

  [#setting url_escaping_charset="UTF-8"]

  
  [#-- The optional 'state' map provided on the Start Passwordless API call is exposed in the template as 'state' --]
  [#assign url = "http://35.153.28.164:9011/oauth2/passwordless/${code}?tenantId=${user.tenantId}" /]
  [#list state!{} as key, value][#if key != "tenantId" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]
  
  <div>
<a href="${url}" target="_blank">
<button style="border: none;
color: white;
padding: 15px 32px;
text-align: center;
text-decoration: none;
font-size: 16px;
margin: 4px 2px;
cursor: pointer;
background-color: #008CBA;">
Click Here to Login!
</button>
</a>
</div>

</body>

joshua

@richb201,

Some of this you may have tried, but could be worth double-checking:

1. Have you tried running your FreeMarker template through a linter to make sure there are no errors that might explain some of the behavior you are seeing?
2. Have you tried printing the full URL on your server (in a debug-like puts/print statement) to verify the presence or absence of an HTTP schema in the link and that the link is not broken?
3. Does the Freemarker template appear as you would like it to when you "preview" (there is a preview button there) the template in FusionAuth under the themes section?

At the moment, I don't have any other suggestions but will post back here once something else comes to mind.

Thanks,
Josh

richb201

Thanks. From a post by robotdan to another user:

Hi @forenheith can you confirm you have configured your redirect URI in FusionAuth?

https://fusionauth.io/docs/v1/tech/oauth/overview

The Redirect URI will be the URL of your application that will handle the response from the Authorization request. If the value you send in the redirect_uri parameter is not registered with FusionAuth you will receive the invalid_redirect_uri error as you're seeing.

what does this mean?
"If the value you send in the redirect_uri parameter is not registered with FusionAuth you will receive the invalid_redirect_uri error as you're seeing."

Where would I register my Redirect URI? I already have it registered in
Redirect URI as can be seen here. But I get the feeling that he is talking about registering it somewhere else?
![Screenshot from 2021-05-14 02-34-57.png](/community/forum/assets/uploads/files/1620974176507-screenshot-from-2021-05-14-02-34-57.png

I did find this:
redirect_uri [String] REQUIRED
The URI to redirect to upon a successful request. This URI must have been configured previously in the FusionAuth Application OAuth configuration. See Applications in the FusionAuth User Guide for additional information on configuring the redirect URI.

Where would that be done??

I also found this in rfs6749
If a redirection URI is provided in the request, the authorization server MUST validate it against the registered value.

BUT where do I register this?

joshua

Hi @richb201

The redirect URL, for OAuth, should only need to be set/registered on this screen for your Application.

I hope this helps!

Thanks,
Josh

richb201

Here is mine. They look similar right?

I am going to try your standard passwordless email instead of my customized one.

Here is my login tenant. Notice the issuer? Is that a problem? Do I need to have my own inform in there?

robotdan

@richb201 said in invalid_redirect_uri:

I am going to try your standard passwordless email instead of my customized one.

This is a good idea. This should give you a base case to test with to ensure it is working correctly before customizing it too much.

You may also want to capture the raw email message to see if the URL is correct in the MIME encoded version of the email.

richb201

@robotdan Thanks. I have the raw email message, I just don't know how to see what is wrong with it.

Received: from 10.196.216.85
 by atlas319.free.mail.bf1.yahoo.com with HTTPS; Fri, 14 May 2021 11:19:49 +0000
Return-Path: <010001796a9a9e93-d880d840-8578-4fbf-9cfa-e2fe054e3986-000000@amazonses.com>
X-Originating-Ip: [54.240.8.241]
Received-SPF: pass (domain of amazonses.com designates 54.240.8.241 as permitted sender)
Authentication-Results: atlas319.free.mail.bf1.yahoo.com;
 dkim=pass header.i=@amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug;
 spf=pass smtp.mailfrom=amazonses.com;
 dmarc=unknown header.from=substantiator.com;
X-Apparently-To: richardbernstein216@yahoo.com; Fri, 14 May 2021 11:19:49 +0000
X-YMailISG: RuEN7foWLDu9BhoVg1_uj0ZIWl3MAsheSKU0V8Ov.9FsKaEX
 xrAAWNrr8D1StRJTu4elf71kfaBhc1I7eqUJQeUplY6XYN2XU_.96BEgIcp7
 RpVKGE3QaznUrFboVsXtT8Esf6tChUHtXHOvSDcq1ySeDEUvWaBJX6BZDzmB
 7QFLHvkF6k2Fa21vy3yb3y_hdPGc.RpjQM2Xu6PzcS9s0fl8BXFwt7vQyDkC
 aNAnTmgPibrFvftqKxhMA018R_fa3OD_1Cx2ymowL_lPOvOwYlxzlYiHp6gB
 B.AMbM6eMtNX4_NfaS0MzcHIgbCZ342fWVIkx8QH5kFm8pkPp7.7OGhC4xQl
 lrIA8fxMJ5bALaPN2pfzkjn0a_TmU5cveMbVDIM7PdNPyTTYpgN8h6OCVoBm
 lCW66qZpuHBB8BndOg2cPsr1S_JEJjYtOp4.QW7Hi5.ngcr_w0SpnMuY4ob6
 cuJEDKW_eHrN30geb0bgmveRT84g8.gZ1y8wuNjnYrBZDGJWhrzAq2aYLwvT
 DGhByPAxUDIN.eE.fL5T7kbHZEPn3zeIUV9vCvpdsYPSXMChhHG73A1FfoJW
 9KjMNrTt.7SuyIG85b_PcMMn6cDtyEtNxliEeXWwIw4UWpXBlqZk_7J9FKkM
 da_IJmf8Nk5.RhZgV6s_z.2ldeHlmN_RfWdF3eQU8sd5n.29OrUowXSLQ2VA
 JEZP3ztIIFPWxBJ9onafe3F1PBoefTPAmufC2hYXpwFBTkINJdmRId2672Oq
 U21ZQgq2341SN0Kb5Dv1lAQ5Db9Cd3VHx8_QGZ.AOl15P9orL5bKzsn33H4i
 McPP1HsY_japIFdCy5EukFBStpirGhneoY5vW6PfEBTEd2USnLpSuWd8KHzu
 tv9cI6vVVJISkmW0FSD5pY5TKdYLrU1vFmR9SLZ7CbhlEIV3_LMnNAl_7Z6y
 mgYdNrD0qGojogB8zAtL8r78Wz8kgiDV4_UB5UNJ5rJypqmBfCkG..iOF8NT
 YvTPgjG_oPTHc0_TakpvQ0v9Tm3p3G20Gy9xhDuawxOq445JgJCE6mx_AfN8
 SlVtKizLp1GwcmzwVkZO8X_E1DZqRXegeJ86KoO.mIAkFb7pkStYgAbY1zny
 _uDaWSqRUzLsPZz4bTJM5wyqWYrl4DwmZ73C6wnw6AFA9kiJE4x1PvFKlA--
Received: from 54.240.8.241 (EHLO a8-241.smtp-out.amazonses.com)
 by 10.196.216.85 with SMTPs
 (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
 Fri, 14 May 2021 11:19:49 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1620991188;
	h=From:To:Message-ID:Subject:MIME-Version:Content-Type:Date:Feedback-ID;
	bh=HSdZTCdopKudE7gQLvMd7mhFaDyjWsxy1D6lCGlaXGg=;
	b=hJFNKihjTNSqR9HTquZmBuIEobuvLlQP02ypaee/aHylzTlFsJq55u+2vK+u/OGE
	/tyfh3hqWOyCy0CpwkEQsjX8Xv9I/YHz+sB1mqIxDhwse7LPzqZ+Kd9VmVkKqAJaSil
	xiI/dTVkV/Dhayive7Dc4YdTtyRdgc3+eu3JX1NU=
From: admin <admin@substantiator.com>
To: richardbernstein216@yahoo.com
Message-ID: <010001796a9a9e93-d880d840-8578-4fbf-9cfa-e2fe054e3986-000000@email.amazonses.com>
Subject: Login
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_10_107303501.1620991187686"
Date: Fri, 14 May 2021 11:19:48 +0000
Feedback-ID: 1.us-east-1./ToaGAJxWOVHrr4y6A5cU9krmMVcIKDbUUm+IkkffcM=:AmazonSES
X-SES-Outgoing: 2021.05.14-54.240.8.241
Content-Length: 1850

------=_Part_10_107303501.1620991187686
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

<body>
  <img src="35.153.28.164/assets/themes/default/images/Logo - Research Study Online-01.jpg?w=640" alt="img" />
 
     
  <div>
<a href="http://fusionauth.ngrok.io/oauth2/passwordless/YZKTNV6VE0VGJ9e_mKuWLjtokNtS44FcAvEM5kTG9Jk?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&redirect_uri=35.153.28.164%2Findex.php%2FConfigure%2Freport_generator_amazing&response_type=code&scope=openid&state=richardbernstein216%40yahoo.com" target="_blank">
<button style="border: none;
color: white;
padding: 15px 32px;
text-align: center;
text-decoration: none;
font-size: 16px;
margin: 4px 2px;
cursor: pointer;
background-color: #008CBA;">
Click Here For Survey!
</button>
</a>
</div>

</body>
------=_Part_10_107303501.1620991187686
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<meta charset="UTF-8">
<!doctype html>

<body>
  <img src="http://35.153.28.164/assets/themes/default/images/Logo%20-%20Research%20Study%20Online-01.jpg?w=640" alt="img" />
  <p>To log into ResearchStudyOnline please click the link.</p>

    
  <div>
<a href="http://35.153.28.164:9011/oauth2/passwordless/YZKTNV6VE0VGJ9e_mKuWLjtokNtS44FcAvEM5kTG9Jk?tenantId=4272f95b-0989-4892-badc-0ef6b934885f&client_id=f603697d-41ea-4c53-ac2d-e935d5e34221&redirect_uri=35.153.28.164%2Findex.php%2FConfigure%2Freport_generator_amazing&response_type=code&scope=openid&state=richardbernstein216%40yahoo.com" target="_blank">
<button style="border: none;
color: white;
padding: 15px 32px;
text-align: center;
text-decoration: none;
font-size: 16px;
margin: 4px 2px;
cursor: pointer;
background-color: #008CBA;">
Click Here to Login!
</button>
</a>
</div>

</body>
------=_Part_10_107303501.1620991187686--

This one is using ngrok, just so I can test on my laptop.

robotdan

Here is the redirect_uri in the email:

&redirect_uri=35.153.28.164%2Findex.php%2FConfigure%2Freport_generator_amazing

This needs to be be &redirect_uri=http://35...

richb201

@robotdan Yes, I know that needs to have http:// but I think I have it already!. Where do I specify that. Here is the application setup and you can see it there.

and here is the email template:

<meta charset="UTF-8">
<!doctype html>

<body>
  <img src="http://35.153.28.164/assets/themes/default/images/Logo%20-%20Research%20Study%20Online-01.jpg?w=640" alt="img" />
  <p>To log into ResearchStudyOnline please click the link.</p>

  [#setting url_escaping_charset="UTF-8"]

  
  [#-- The optional 'state' map provided on the Start Passwordless API call is exposed in the template as 'state' --]
  [#assign url = "http://35.153.28.164:9011/oauth2/passwordless/${code}?tenantId=${user.tenantId}" /]
  [#list state!{} as key, value][#if key != "tenantId" && value??][#assign url = url + "&" + key?url + "=" + value?url/][/#if][/#list]
  
  <div>
<a href="${url}" target="_blank">
<button style="border: none;
color: white;
padding: 15px 32px;
text-align: center;
text-decoration: none;
font-size: 16px;
margin: 4px 2px;
cursor: pointer;
background-color: #008CBA;">
Click Here to Login!
</button>
</a>
</div>

</body>

It also has the http://

richb201

@richb201 I think I got it. There was a line in my code that was missing the http://. Thanks.

Now that I got that working, I do want to pass in the user's email address to the redirect uri. Is there an easy way to do that?
I have set $request["state"]["state"] = "$email" prior to doing the fusion doing the auth, so how do I get "state" inside my application?

joshua

@richb201,

Can you provide a bit more context on why you want to do this on a URI? I am not sure what you want to store in "state".

The "state" variable, as I understand it, is available only on the forgot password FTL templates (doc, using the API, but the description is still applicable to your OAuth setup here)

My first thought was, perhaps you want to store "state" on a custom user data point and just query the user object when needed? But might need some more information to assist further.

Thanks,
Josh