OIDC redirect_uri_mismatch: causes, evidence, and fixes

Common symptoms

• Authentication succeeds at the IdP but the application login fails.
• The token exchange fails with invalid_grant or redirect_uri_mismatch.
• The callback URL differs between test, staging, production, apex, or www domains.

Evidence to collect

• Authorization request URL including client_id, redirect_uri, state, and scope.
• Application callback URL observed in the browser.
• The redirect URIs registered in the IdP OIDC client.
• Application logs around the code exchange failure.

Common causes

• Production application is still using a staging callback URL.
• IdP client allows only the old redirect URI.
• The app switched from apex to www or from one hostname to another.
• The redirect_uri used in the authorization request differs from the one used in the token request.

How to fix or triage it

• Choose one canonical callback URL.
• Register the exact redirect URI in the IdP OIDC client.
• Update application environment variables to use the same canonical URL.
• Retest with a fresh login after clearing old cookies or sessions.

How AccessTrace AI helps

• Extracts expected and actual redirect URI values from pasted evidence.
• Flags mixed staging and production OIDC configuration.
• Generates vendor-facing questions and ticket-ready remediation language.

Example evidence

Error: redirect_uri_mismatch
Expected redirect_uri: https://app.example.com/auth/callback
Actual redirect_uri: https://app.example.com/oidc/callback
Registered redirect URI at IdP: https://app.example.com/oidc/callback-staging

Turn messy access evidence into a report

Paste sanitized SSO, directory, certificate, or access-policy evidence into AccessTrace AI and generate findings, remediation steps, vendor questions, and ticket-ready language.

Related AccessTrace resources

• OIDC invalid_audience
• OIDC troubleshooting use case
• SSO troubleshooting tool
• IAM troubleshooting tool
• Access troubleshooting report tool