Sign-In Page – redirect_uri

OK, so I’m new to this and I’m trying to implement OAuth to one of my personal project based on PHP. I followed the Quickstart Guide for the Okta Sign-In Page with PHP but I keep getting the following error …

{
    error: "invalid_grant",
    error_description: "The 'redirect_uri' does not match the redirection URI used in the authorization request."
}

… even though I provided the correct redirect_uri in the authorization request, which is also used in my application settings.

// DISCLAIMER Of-course there are no blank spaces in my URIs, but I’m only allowed to use 2 links max in my post …

Here’s my code of my login-page which redirects to the Sign-In Page: https:// fjatsh.dev/login

<?php

$query = http_build_query([
    'client_id' => 'MY-OKTA-CLIENT-ID',
    'response_type' => 'code',
    'response_mode' => 'query',
    'scope' => 'openid profile',
    'redirect_uri' => https://fjatsh.dev/logincall,
    'state' => 'SOMETHING',
    'nonce' => 'SOMETHING'
]);

header('Location: ' . 'https://dev-780041.oktapreview.com/oauth2/default/v1/authorize?'.$query);

?>

At the okta-sign-in page I put in my credentials without any erros and get redirectet to my ‘redirect_uri’ at: https:// fjatsh.dev/logincall?code=EXAMPLE-CODE&state=SOMETHING

Which contains the following code:

<?php

if(array_key_exists('state', $_REQUEST) && $_REQUEST['state'] !== $state) {
    throw new \Exception('State does not match.');
}

if(array_key_exists('code', $_REQUEST)) {
    $exchange = exchangeCode($_REQUEST['code']);
}

if(array_key_exists('error', $_REQUEST)) {
    throw new \Exception($_REQUEST['error']);
}

function exchangeCode($code) {
    $authHeaderSecret = base64_encode('MY-OKTA-CLIENT-ID:MY-OKTA-CLIENT-SECRET');
    $query = http_build_query([
        'grant_type' => 'authorization_code',
        'code' => $code
    ]);
    $headers = [
        'Authorization: Basic ' . $authHeaderSecret,
        'Accept: application/json',
        'Content-Type: application/x-www-form-urlencoded',
        'Connection: close',
        'Content-Length: 0'
    ];
    $url = 'https://dev-780041.oktapreview.com/oauth2/default/v1/token?' . $query;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_POST, 1);
    $output = curl_exec($ch);
    $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);

    if(curl_error($ch)) {
        $httpcode = 500;
    }
    curl_close($ch);
    return json_decode($output);
}

$jwt = json_encode($exchange);
print_r($jwt);

?>

Which, unfortinately outputs the code which I posted at the beginning.

I added the following “Login redirect URI” to the Application-Settings: “https:// fjatsh.dev/logincall” and added “https:// fjatsh.dev” to the trusted Origins with type set to CORS and redirect.

Any ideas what I missed?
Thanks in advance :slight_smile:

When exchanging the code for tokens, you need to pass the redirect_uri:

https://developer.okta.com/authentication-guide/implementing-authentication/auth-code#3-exchanging-the-code-for-tokens

In your logincall controller:

$query = http_build_query([
        'grant_type' => 'authorization_code',
        'code' => $code,
        'redirect_uri' => 'https://fjatsh.dev/logincall'
    ]);

Let me know if this resolves it!

1 Like

Perfect! That solved the problem.

Which means, that the example code is missing that information! -> link

Thanks a lot – saved my weekend :slight_smile:

Happy that saved your weekend! And thanks for letting us know where you saw the problem, that was going to be my next question. I’ll have the team get that fixed:

@robertjd @bretterer ^^ - this is logged under OKTA-154154

@tom I am having a similar error message (invalid_grant). But I do not have a lot of ideas on how to debug it because it is not obvious what is causing it.
My web server had been running for a few months and users were able to use login using okta authentication. However recently the error message just started appearing, without any changes to the code, and users can not longer gain access inside.

I shut down the production version of the web server and then just fired up a testing environment on the same port and, in that instance, the okta authentication works and I can login. But if I turn on the production version where I am using the exact same code as the development version only information is being served with gunicorn + ngninx (not sure if this is causing anything), then I get the invalid_grant error.

Do you have any idea what might be causing this issue since the fact that it works while testing makes me think its not in my code?

I am not sure what information I should provide, but at a high level I am using reactjs for the front end and sign in page which is attached to a django server that performs the token exchange.

Any help would be greatly appreciated.

Hey @calbert

Can you open a support ticket with us at developers@okta.com in order to have one of our Developer Support Engineers assist you?

In the email, please specify your Okta org and the error that you are seeing.