Amazon Cognito: How to stop getting "redirect_mismatch" error when redirecting from browser to Android app

Question

I am trying to create a Android project where I authorize a user by having him log into Amazon Cognito in a browser, which should then redirect back to my app. Unfortunately, when the browser opens, instead of reaching the proper sign-in page, I keep getting this error:

In my AuthenticatorActivity.java:

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_authenticator);

    Uri authzUrl = Uri.parse("https://<myDomain>.auth.us-west-2.amazoncognito.com/login?response_type=token&client_id=<myClientId>&redirect_uri=myapp://mainAct");
    Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl);
    startActivity(launchBrowser);
}

In AndroidManifest:

<activity android:name=".MainActivity">
    <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:host="mainAct" android:scheme="myapp"></data>
    </intent-filter>
</activity>

I can't figure out what I am doing wrong here. Am I missing a step?

Answer 1

Ok, I'm leaving a tidbit here for whoever might find it next. I hit this issue exact same issue, but as a newbie to Cognito and IdP/SSO I had no idea how to fix this. Here is what I did to eventually fix this. We were integrating with an external service, and we were getting this error. Under Chrome Developer Tools -> Network, I started to record the URL's visited, then I tried the SSO integration again. There was a URL that showed up in the list which visited Cognito with a redirect to URL. That URL must be the same URL as listed under the Callback URL for Cognito.

Hopefully, this saves someone some time in the future.

Answer 2

Do check your callback url and sign out url. The corect format is :

app_client_name:https://www.myapp.com/

Answer 3

redirect_uri (1st img) must be the same as in the Callback URL(s) field (2nd img).

1st img

2nd img (App integration -> App client settings under AWS)

Answer 4

Extending on the answer by Dimitris https://stackoverflow.com/a/60456018/6883773

If you have a DNS route53 specified for your load balancer. You can specify the same in the callback URL.

https://www.example.com/oauth2/idpresponse

Ref: https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-alb-authentication-idp/

Answer 5

I am using amplify with cognito and encountered this error. Fixed by following. In aws-export.ts, there is a redirectSingIn url, it must be the exact same url as in cognito/app Integration/app client setting/ callback url which is where the application runs.

Update: I encountered this problem again in AWS cognito, user pool, App client, client web. After updating the Callback URL(s), things starts to break, even the Callback URL(s) is valid. Later I figured out that it will take some time for the change to sync in. Need to walk away about 10 minutes, then try again.

Answer 6

Another silly mistake I did and took me hours to figure it out was the fact that the value of redirectSignIn in aws-exports.js was completely wrong. When you modify the value of this configuration multiple times through Amplify CLI, it appends a comma treating the value as a List giving you something like this

 "redirectSignIn": "http://localhost:3000/,http://localhost:3000/,http://localhost:3000/,http://localhost:3000/",

Unfortunately, the value is treated as a string when used using HostedUI.

Answer 7

An answer not covered here(probably due to docs being updated recently) is about logout_uri. If you are setting your logout URL to a URL different from your log in URL, you will get redirect mismatch error with redirect_uri parameter.

For e.g.

Log in URL: http://localhost:3000/log_in.html
Call back URL(after login): http://localhost:3000/logged_in.html
Sign out URL(after logout): http://localhost:3000/logged_out.html

I was sending request using redirect_uri parameter to a custom sign out URL page like this

https://xxx.auth.ap-southeast-1.amazoncognito.com/logout?client_id=xxx&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Flogged_out.html

which resulted in redirect mismatch error.

I had to change to logout_uri to make it work.

https://xxx.auth.ap-southeast-1.amazoncognito.com/logout?client_id=xxx&response_type=code&logout_uri=http%3A%2F%2Flocalhost%3A3000%2Flogged_out.html

PS: Make sure that your redirect_uri or logout_uri is same in AWS Cognito console and your code otherwise it will result in redirect mismatch error.

Documentation: https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html#get-logout

Answer 8

I solved this by remembering to include http:// in the callbackUrl on the frontend.

const redirect_url=`${window.location.origin}`;

It probably wont be a common reason, but was why mine broke.

Answer 9

This is because of the mismatched url for either redirectSignIn or redirectSignOut. Please check both setup in aws console and code aws_config, and make them consistent.

aws console redirect uri configuration

Answer 10

In my case the error was due to CloudFront serving the old files.

To solve it; you can invalidate CloudFront files via AWS console. p.s. can use /* to invalidate all of the files https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html

Answer 11

You absolutely need to make sure these items are checked if you're requesting a scope, otherwise you get redirect_mismatch (unhelpful error name).

With a config of below from the tutorial here

Auth.configure({
  oauth: {
    domain: aws.idpDomain,
    scope: ['email', 'openid'],
    // we need the /autologin step in between to set the cookies properly,
    // we don't need that when signing out though
    redirectSignIn: aws.redirectSignIn,
    redirectSignOut: aws.redirectSignOut,
    responseType: 'token',
  },
})

Answer 12

In my case is was because in the console I was redirecting to https://localhost:4200 but in the URL I had http://localhost:4200. Note the SSL/TLS version vs. non-SSL/TLS

Answer 13

In the context of Amplify + multiple redirection URLs (inspired by @Oscar Nevarez) I looked at src/aws-export.js :

        "redirectSignIn": "https://example.com/,http://localhost:5173/",
        "redirectSignOut": "https://example.com/,http://localhost:5173/",

Which is NOT digested by Cognito when passed as URL redirect_uri parameter.

My fix was to override these values in src/main.js as follows

awsconfig.oauth.redirectSignIn = `${window.location.origin}/`
awsconfig.oauth.redirectSignOut = `${window.location.origin}/`

Worked both for local and deployed

Answer 14

Assuming your website is behind an application load balancer (ALB), and you have a listener rule that uses a Cognito user pool and Path is * in the IF rule statement, you should configure your 0Auth client app callback url, like:

https://<your-ALB-DNS>/oauth2/idpresponse

This make it work for me at least, with no other fancy config.

Keep in mind though that this will just provide a layer on top of whatever you have behind the ALB. If you have some additional authentication method in it, you have to configure that as well.

Answer 15

I followed this video "Adding Facebook Sign In for Web Applications with AWS Amplify": https://dev.to/aws/adding-facebook-sign-in-for-web-applications-with-aws-amplify-2fc8

It deploys to localhost, so I then deployed it to a Amplify URL ... I had the same redirect error ad it turned out that I hadn't updated aws-exports.js in the src directory.