This article explains how to configure Sign-in Redirect URIs in Okta to securely route users after authentication, emphasizing that the Redirect URI in the /authorize request must exactly match the allowed list of Sign-in Redirect URIs in the application settings. It also highlights the most common mistakes that can lead to the following error:
- Authorize (GET /authorize) request of Implicit Flow and Authorization Code Flow
- Sign-in Redirect URI
- Redirect URI
- OpenID Connect (OIDC)
Follow the steps or video below.
What is the redirect URI?
The application initiates the flow by building the /authorize request. This request includes the redirect_uri parameter, which tells Okta exactly where to securely return the user after they have successfully signed in.
Below is an example of an /authorize request where https://example.com has been configured as the redirect URI:
https://{yourOktaDomain}/oauth2/v1/authorize?
client_id=0oabucvyc38HLL1ef0h7&
response_type=code&scope=openid&
redirect_uri=https%3A%2F%2Fexample.com&
state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601
How to manage redirect URIs within Okta
To set up the Sign-in redirect in the Okta portal as an Admin.
- Click on Applications > Applications.
- In General Settings > LOGIN.
- Sign-in redirect URIs > Add the Sign-in Redirect URI.
Common mistakes with redirect URIs
The redirect_uri that is sent to Okta as part of the /authorize request must exactly match one of the Sign-in redirect URIs configured for the application. If encountering a "400 Bad Request" - The redirect_uri Parameter Must Be a Login Redirect URI in the Client App Settings error during the /authorize request, ensure that the URLs match based on the following criteria:
- Http vs https
- Trailing Slash
- Case Sensitivity
- Port Number Mismatch
- Dynamic Query Parameters
- Subdomain Mismatches
- Wrong List
- URL Encoding Discrepancies
- Environmental Mismatch
