Amazon Cognito: How to stop getting "redirect_mismatch" error when redirecting from browser to Android app

Question

I am trying to create a Android project where I authorize a user by having him log into Amazon Cognito in a browser, which should then redirect back to my app . Unfortunately, when the browser opens, instead of reaching the proper sign-in page, I keep getting this error:

In my AuthenticatorActivity.java:

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_authenticator);

    Uri authzUrl = Uri.parse("https://<myDomain>.auth.us-west-2.amazoncognito.com/login?response_type=token&client_id=<myClientId>&redirect_uri=myapp://mainAct");
    Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl);
    startActivity(launchBrowser);
}

In AndroidManifest:

<activity android:name=".MainActivity">
    <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:host="mainAct" android:scheme="myapp"></data>
    </intent-filter>
</activity>

I can't figure out what I am doing wrong here. Am I missing a step?

Answer 1

Ok, I'm leaving a tidbit here for whoever might find it next. I hit this issue exact same issue, but as a newbie to Cognito and IdP/SSO I had no idea how to fix this. Here is what I did to eventually fix this. We were integrating with an external service, and we were getting this error. Under Chrome Developer Tools -> Network, I started to record the URL's visited, then I tried the SSO integration again. There was a URL that showed up in the list which visited Cognito with a redirect to URL. That URL must be the same URL as listed under the Callback URL for Cognito.

Hopefully, this saves someone some time in the future.

Answer 2

Do check your callback url and sign out url. The corect format is :

app_client_name:https://www.myapp.com/

Answer 3

Extending on the answer by Dimitris https://stackoverflow.com/a/60456018/6883773

If you have a DNS route53 specified for your load balancer. You can specify the same in the callback URL.

https://www.example.com/oauth2/idpresponse

Ref: https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-alb-authentication-idp/

Answer 4

I am using amplify with cognito and encountered this error. Fixed by following. In aws-export.ts, there is a redirectSingIn url, it must be the exact same url as in cognito/app Integration/app client setting/ callback url which is where the application runs.

Update: I encountered this problem again in AWS cognito, user pool, App client, client web. After updating the Callback URL(s), things starts to break, even the Callback URL(s) is valid. Later I figured out that it will take some time for the change to sync in. Need to walk away about 10 minutes, then try again.

Answer 5

Another silly mistake I did and took me hours to figure it out was the fact that the value of redirectSignIn in aws-exports.js was completely wrong. When you modify the value of this configuration multiple times through Amplify CLI, it appends a comma treating the value as a List giving you something like this

 "redirectSignIn": "http://localhost:3000/,http://localhost:3000/,http://localhost:3000/,http://localhost:3000/",

Unfortunately, the value is treated as a string when used using HostedUI.

Answer 6

In my case the error was due to CloudFront serving the old files.

To solve it; you can invalidate CloudFront files via AWS console. ps can use /* to invalidate all of the files https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html

Answer 7

I solved this by remembering to include http:// in the callbackUrl on the frontend.

const redirect_url=`${window.location.origin}`;

It probably wont be a common reason, but was why mine broke.

Answer 8

This is because of the mismatched url for either redirectSignIn or redirectSignOut. Please check both setup in aws console and code aws_config, and make them consistent.

aws console redirect uri configuration

Answer 9

In my case is was because in the console I was redirecting to https://localhost:4200 but in the URL I had http://localhost:4200 . Note the SSL/TLS version vs. non-SSL/TLS

Answer 10

Assuming your website is behind an application load balancer (ALB), and you have a listener rule that uses a Cognito user pool and Path is * in the IF rule statement, you should configure your 0Auth client app callback url, like:

https://<your-ALB-DNS>/oauth2/idpresponse

This make it work for me at least, with no other fancy config.

Keep in mind though that this will just provide a layer on top of whatever you have behind the ALB. If you have some additional authentication method in it, you have to configure that as well.

Answer 11

You absolutely need to make sure these items are checked if you're requesting a scope, otherwise you get redirect_mismatch (unhelpful error name).

With a config of below from the tutorial here

Auth.configure({
  oauth: {
    domain: aws.idpDomain,
    scope: ['email', 'openid'],
    // we need the /autologin step in between to set the cookies properly,
    // we don't need that when signing out though
    redirectSignIn: aws.redirectSignIn,
    redirectSignOut: aws.redirectSignOut,
    responseType: 'token',
  },
})

Answer 12

In my case I use amplify just like Feng Zhang. After changing the callback url, I had to wait over an hour for the changes to take effect.

Answer 13

redirect_uri (1st img) must be the same as in the Callback URL(s) field (2nd img).

1st img

2nd img (App integration -> App client settings under AWS)

Answer 14

In the context of Amplify + multiple redirection URLs (inspired by @Oscar Nevarez ) I looked at src/aws-export.js :

        "redirectSignIn": "https://example.com/,http://localhost:5173/",
        "redirectSignOut": "https://example.com/,http://localhost:5173/",

Which is NOT digested by Cognito when passed as URL redirect_uri parameter.

My fix was to override these values in src/main.js as follows

awsconfig.oauth.redirectSignIn = `${window.location.origin}/`
awsconfig.oauth.redirectSignOut = `${window.location.origin}/`

Worked both for local and deployed

Answer 15

I followed this video "Adding Facebook Sign In for Web Applications with AWS Amplify": https://dev.to/aws/adding-facebook-sign-in-for-web-applications-with-aws-amplify-2fc8

It deploys to localhost, so I then deployed it to a Amplify URL ... I had the same redirect error ad it turned out that I hadn't updated aws-exports.js in the src directory.