Google Oauth Error 400: redirect_uri_mismatch

[Revisto]

Hi again.
i'm trying to use Google OAuth on my server, my website is HTTPS but the request that it sends to redirect is from HTTP and there is no way to add non-SSL redirect URIs to google console.
btw i use Nginx.

I would appreciate any help or solution.

[daenney]

If Google doesn't support adding non-SSL URLs there's nothing you can do on the Flask side. But I doubt that's the case. Goolge should accept http://localhost URLs. That should work based on Google's own documentation: https://developers.google.com/identity/protocols/oauth2/web-server.

Please note that though we maintain a solution to help you leverage Oauth2 in your Flask app, we're not a generic helpdesk. There's a million of solutions that show up on search engines: https://stackoverflow.com/questions/10456174/oauth-how-to-test-with-local-urls

[Revisto]

thank you, but I'm running it on my server and it has SSL.
for example, my website address is https://revisto.com
but when I want to sign in via google OAuth, it says:

Error 400: redirect_uri_mismatch
The redirect URI in the request, http://revisto.com/login/google/authorized, does not match the ones authorized for the OAuth client.

so I need to do that via HTTPS but I don't know how to do that and google does not allow me to add HTTP://revisto.com.

thanks again

[daenney]

Then it sounds like your reverse proxy isn't set up correctly, so the Flask app running your website doesn't think it has TLS and is generating plain http URLs instead of https ones. I'd suggest reviewing https://flask.palletsprojects.com/en/1.1.x/deploying/wsgi-standalone/.

[Revisto]

i found what causes the problem.

when flask_dance wants to redirect, the URL is like this:

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<CLIEND_ID>&redirect_uri=http%3A%2F%2Frevisto.com%2Flogin%2Fgoogle%2Fauthorized&scope=profile+email&state=&access_type=offline

here the value of redirect_uri parameter is "http". How can I change it to https?

[daenney]

That's this one: https://github.com/singingwolfboy/flask-dance/blob/main/flask_dance/contrib/google.py#L58. But if it's generating a URL with http, then your Flask application isn't aware it's running with TLS. It'll generate an https URL if it was. Hence the please review your reverse proxy setup.

[Revisto]

final solution:

if anyone has the same problem, just add this simple line to your flask code:

flask.request.environ['wsgi.url_scheme'] = "https"

[daenney]

This is an extremely bad idea. Setting that variable this way means that even if a connection were to come in over HTTP, you're telling flask it's HTTPS. This can lead to tokens being leaked.

If you configure Flask and any reverse proxy correctly, this isn't necessary and things will work as intended, with https URLs being correctly generated.