Problem
Section titled “Problem”Sign-in fails on the IntelliAuth tenant's error page (you never reach your callback). The URL or error response carries error=invalid_redirect_uri.
The redirect_uri your code sent to /oauth2/authorize does not exactly match one of the URIs registered on the application's settings. "Exactly" includes:
- Trailing slash.
- Protocol (http vs https).
- Host name spelling (
app.cymmetri.comvswww.app.cymmetri.com). - Port number (omitted vs explicit).
- Case sensitivity in the path.
Resolution
Section titled “Resolution”- Look at the URL your code is sending. The SDK logs it on
error; if you're not using the SDK, the network tab shows the/oauth2/authorize?redirect_uri=...parameter. - Look at the application's registered redirect URIs in the tenant admin console: Applications → your app → Settings.
- Spot the diff. Fix one or the other.
For local development, register all three of:
http://localhost:3000/callbackhttp://127.0.0.1:3000/callbackhttp://localhost:3000/callback/(with trailing slash)
The platform refuses wildcards (http://localhost:*/callback) per RFC 8252 §7.5.
Related
Section titled “Related”- The exception: loopback IPs (
http://127.0.0.1) match any port in the registration per RFC 8252. That's the only wildcarding allowed. - Custom URI schemes for mobile apps (
com.cymmetri.banking://callback) must be registered too.