Sign-In Page – redirect_uri


#1

OK, so I’m new to this and I’m trying to implement OAuth to one of my personal project based on PHP. I followed the Quickstart Guide for the Okta Sign-In Page with PHP but I keep getting the following error …

{
    error: "invalid_grant",
    error_description: "The 'redirect_uri' does not match the redirection URI used in the authorization request."
}

… even though I provided the correct redirect_uri in the authorization request, which is also used in my application settings.

// DISCLAIMER Of-course there are no blank spaces in my URIs, but I’m only allowed to use 2 links max in my post …

Here’s my code of my login-page which redirects to the Sign-In Page: https:// fjatsh.dev/login

<?php

$query = http_build_query([
    'client_id' => 'MY-OKTA-CLIENT-ID',
    'response_type' => 'code',
    'response_mode' => 'query',
    'scope' => 'openid profile',
    'redirect_uri' => https://fjatsh.dev/logincall,
    'state' => 'SOMETHING',
    'nonce' => 'SOMETHING'
]);

header('Location: ' . 'https://dev-780041.oktapreview.com/oauth2/default/v1/authorize?'.$query);

?>

At the okta-sign-in page I put in my credentials without any erros and get redirectet to my ‘redirect_uri’ at: https:// fjatsh.dev/logincall?code=EXAMPLE-CODE&state=SOMETHING

Which contains the following code:

<?php

if(array_key_exists('state', $_REQUEST) && $_REQUEST['state'] !== $state) {
    throw new \Exception('State does not match.');
}

if(array_key_exists('code', $_REQUEST)) {
    $exchange = exchangeCode($_REQUEST['code']);
}

if(array_key_exists('error', $_REQUEST)) {
    throw new \Exception($_REQUEST['error']);
}

function exchangeCode($code) {
    $authHeaderSecret = base64_encode('MY-OKTA-CLIENT-ID:MY-OKTA-CLIENT-SECRET');
    $query = http_build_query([
        'grant_type' => 'authorization_code',
        'code' => $code
    ]);
    $headers = [
        'Authorization: Basic ' . $authHeaderSecret,
        'Accept: application/json',
        'Content-Type: application/x-www-form-urlencoded',
        'Connection: close',
        'Content-Length: 0'
    ];
    $url = 'https://dev-780041.oktapreview.com/oauth2/default/v1/token?' . $query;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_POST, 1);
    $output = curl_exec($ch);
    $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);

    if(curl_error($ch)) {
        $httpcode = 500;
    }
    curl_close($ch);
    return json_decode($output);
}

$jwt = json_encode($exchange);
print_r($jwt);

?>

Which, unfortinately outputs the code which I posted at the beginning.

I added the following “Login redirect URI” to the Application-Settings: “https:// fjatsh.dev/logincall” and added “https:// fjatsh.dev” to the trusted Origins with type set to CORS and redirect.

Any ideas what I missed?
Thanks in advance :slight_smile:


#2

When exchanging the code for tokens, you need to pass the redirect_uri:

https://developer.okta.com/authentication-guide/implementing-authentication/auth-code#3-exchanging-the-code-for-tokens

In your logincall controller:

$query = http_build_query([
        'grant_type' => 'authorization_code',
        'code' => $code,
        'redirect_uri' => 'https://fjatsh.dev/logincall'
    ]);

Let me know if this resolves it!


#3

Perfect! That solved the problem.

Which means, that the example code is missing that information! -> link

Thanks a lot – saved my weekend :slight_smile:


#4

Happy that saved your weekend! And thanks for letting us know where you saw the problem, that was going to be my next question. I’ll have the team get that fixed:

@robertjd @bretterer ^^ - this is logged under OKTA-154154