question

deepseed avatar image
deepseed asked David Marginian Deactivated answered

OAuth redirect URL rejected

In the OAuth process, the redirect URL is being rejected with the message:

The redirect URL https://secure.managemybusiness.app/api/auth/clover/callback/XXXXXXXX/ for app XXXXXXXXXXXXX has been rejected. Either redirect URL is not valid or redirect URL host does not match with site URL.

The redirect URL is valid and correctly calls the API when tested in Postman. And the Site URL is set to https://secure.managemybusiness.app, which matches the redirect URL host.

I'm guessing that I'm missing a backslash or some other simple oversight, but I've tried everything and cannot get this to work.

Any ideas on what is causing this issue?

OAuth
3 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

I believe the site url and the redirect url have to match as in exactly.

0 Likes 0 ·
deepseed avatar image deepseed David Marginian ♦♦ ·

Thank you for your response, but the documentation states that "A redirect_uri passed to /oauth/authorize must be a subpath of the set Site URL" (which mine is). This makes sense because the Site URL should link to a consumer-facing website, while the redirect_uri should link back to the server that is handling the OAuth authorization.

0 Likes 0 ·

You're right, sorry about that.

0 Likes 0 ·
David Marginian avatar image
David Marginian Deactivated answered deepseed commented

I checked the server logs. Your app has been created in sandbox, but you are trying to go through the OAuth flow in production. Your app doesn't exist in production and it looks like the redirect url is validated before the client/app id. Sandbox and production are separate environments. Please see our OAuth docs, all of the examples there use sandbox urls - https://docs.clover.com/docs/using-oauth-20#oauth-in-sandbox-vs-production.

5 comments
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Thank you for the response David, but this app has been in production for months and I have not used the sandbox environment for at least that long. I also cannot find any references to the Clover sandbox in my code, setup or logs.

I did notice that Clover incorrectly appends the state parameter to the end of the redirect URL using an ampersand when the redirect URL has no other parameters. It should use a question mark in that scenario. For example, Clover creates a redirect URL like www.example.com&state=ABC (an invalid URL) instead of www.example.com?state=ABC. This seems like a Clover bug, but one that is easily worked around if the developer notices what Clover is doing.

Regardless, my issue still persists even after I confirmed I'm using the production Clover environment and I removed all parameters (including state) from my redirect URLs. Here's the updated error:

{"message":"The redirect URL https://secure.managemybusiness.app/api/auth/clover/callback/koTJiqdP7|VQ7wjGILjp|QKlaxbAelp for app MCG1EPP7NVTQ4 has been rejected. Either redirect URL is not valid or redirect URL host does not match with site URL."}

Calling this URL from Postman or a browser returns a 200 status, and the Site URL and the redirect url host are exactly the same.

In case this helps, this url host works perfectly for Clover webhooks (in production). It's just the OAuth process that is having difficulty with it.

Any other ideas on what might be causing this issue? I'm blocked from launching a ton of new features that Clover users will love, so I really appreciate any help you can offer.

0 Likes 0 ·

In production, your app's site url is https://secure.managemybusiness.app/signin not https://secure.managemybusiness.app. Have you tried removing the signin path to your site url or adjusting your redirect url to include the signin path?

0 Likes 0 ·
deepseed avatar image deepseed David Marginian ♦♦ ·

That would definitely explain the issue, but I don't see the "/signin" part of the URL in the Clover developer site. Here's what I see:

The URL I'm looking at is https://www.clover.com/developer-home/XXXXXXXXXX/apps/MCG1EPP7NVTQ4/app-settings (blocking out an ID that might be confidential).

I also checked the Sandbox settings (https://sandbox.dev.clover.com/developer-home/XXXXXXXX/apps/HT99Z47MPV7K8/app-settings) and it also shows the same URL (without the "/signin" path).

It's likely that I used the */signin path at some point in the past. Can you just remove the "/signin" path from wherever you see it? Or point me to the screen where I can change it?

We're getting closer!!! Thank you for your help!

0 Likes 0 ·
1603207820873.png (10.8 KiB)
Show more comments
David Marginian avatar image
David Marginian Deactivated answered

Developer failed to publish changes to site url.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community