Redirect_uri_mismatch error in Google OAuth

Hello guys!
Hope everyone is safe and well. I am having an issue with Google OAuth integration, where Google responds with redirect_uri_mismatch error.

I double checked my configuration and searched in the topics, but did not find any error or solution. I am running grafana version 6.7.4 in Docker, behind an nginx reverse proxy which does SSL termination. This is my current configuration is (relevant sections only):

# Protocol (http or https)
protocol = http

# The ip address to bind to, empty will bind to all interfaces
;http_addr = 

# The http port  to use
http_port = 3000

# The public facing domain name used to access grafana from a browser
domain = grafana.mydomain.net

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://grafana.mydomain.net

[auth.google]
enabled = true
allow_sign_up = true
client_id = [redacted-google-client-id]
client_secret = [redacted-google-client-secret]
scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
auth_url = https://accounts.google.com/o/oauth2/auth
token_url = https://accounts.google.com/o/oauth2/token
api_url = https://www.googleapis.com/oauth2/v1/userinfo
allowed_domains = mydomain.net

In my Google credentials I set up https://grafana.mydomain.net/login/google as redirect URL, which is the URI grafana should send to Google, but when trying to access using Google Auth I get the following error:

The redirect URI in the request, http://grafana.mydomain.net:3000/login/google, 
does not match the ones authorized for the OAuth client. 

My guess is that grafana is building the redirect URI based on protocol, domain and port rather than using the root_url option.

For the configuration, I used this page as a guide: https://grafana.com/docs/grafana/v6.7/auth/google/

Any input or help will be very much apreciated.

Thanks in advance,
Diego

That is not error of the Grafana, but your OIDC client configuration. Go to your GCP console and add http://grafana.mydomain.net:3000/login/google as allowed redirect URL to used OIDC client.

Thanks for the response @jangaraj, I understand this error message is not generated by grafana, but it is a result of grafana not sending the correct redirect URL when attempting authorization.

As I mentioned in my original post, this Grafana instance is deployed behind a reverse proxy for SSL termination, so http://grafana.mydomain.net:3000/ is not accessible by GCP. I’d expect grafana to use root_url option to build the redirect URI, that’s why I configured it accordingly.

You are right. I would:

  • check in the Grafana UI if config is applied correctly (check Server Admin - use local admin user to check that)
  • try root_url = https://grafana.mydomain.net/ (please notice slash at the end)
  • try different Grafana version (I use similar setup with 6.6.2/7.1.3 without any issue)

I checked the configuration, and it is not loading the right value for root_url. I will check my setup to see where it is getting overriden.

Thanks @jangaraj for pointing in the right direction!

Since I’m using docker, I set the GF_ROOT_URL envvar and grafana honoured that config. It is working now.

Thanks @jangaraj!!

please note for latest versions its GF_SERVER_ROOT_URL

Thank you for providing this update - I was having the same issue but not working, and your comment updating it (a mere 3 hours ago from when I checked) was super helpful. Thank you!

1 Like