n8n OAuth2 redirect URI mismatch – fix the /rest/oauth2-credential/callback error

n8n Authentication Errors / Leave a Comment

Step by Step Guide to solve n8n OAuth2 Redirect URI Mismatch Error

 

 

Who this is for: n8n users who configure OAuth2 credentials (e.g., Google, GitHub, Azure AD) and encounter the redirect_uri_mismatch error in production or staging environments. We cover this in detail in the n8n Authentication Errors Guide.

Quick Diagnosis

Step Action Result
1 Open n8n → Settings → Credentials and edit the OAuth2 credential you’re using. The Redirect URI field appears.
2 Copy the displayed URI (e.g., https://your‑n8n‑domain.com/rest/oauth2-credential/callback). This is the exact callback n8n will send.
3 In the provider console (Google, GitHub, Azure AD, etc.) locate Authorized redirect URIs. Provider whitelist ready.
4 Paste the copied URI exactly (no trailing slash, no extra encoding). Provider now recognises n8n’s callback.
5 Save the provider settings, then click Test in the n8n credential dialog. OAuth flow completes → no “redirect_uri_mismatch”.
6 (Optional) Add the same URI to any environment‑specific n8n instances (dev, staging, prod). Consistent behaviour across environments.

*If the error persists, verify that the domain in the URI matches the Public URL under Settings → General → Public URL and that the protocol (http vs https) is identical.*

1. What the “redirect_uri_mismatch” Error Means in n8n

If you encounter any saml sso error resolve them before continuing with the setup.

When n8n starts an OAuth2 flow it sends a redirect_uri parameter to the provider’s authorization endpoint. The provider validates this value against the whitelist you registered. Any deviation—different domain, protocol, or trailing slash—triggers:

error: redirect_uri_mismatch

Because n8n builds the URI from its Public URL setting, a mismatch between that URL and the one you registered breaks the flow.

Key semantic triggers

  • OAuth2 redirect URI
  • n8n OAuth2 mismatch
  • Authorized redirect URIs
  • n8n public URL
  • OAuth2 credential configuration

2. Where n8n Generates the Redirect URI

If you encounter any ldap bind failure resolve them before continuing with the setup.

  1. Public URL – Set under Settings → General → Public URL.
  2. OAuth2 Credential – The credential dialog shows a read‑only Redirect URI field that concatenates the public URL with the internal callback path: 
    {PUBLIC_URL}/rest/oauth2-credential/callback
  3. Workflow‑specific Override – Advanced users can add a redirectUri property in the credential JSON, but the default is recommended for consistency.

EEFA Note: In production always serve n8n over HTTPS with a fully‑qualified domain (no port numbers). Mixed‑content or self‑signed certificates cause providers (e.g., Google) to reject the redirect even if the URI string matches.

3. Configuring the Provider – Step‑by‑Step

Provider Settings Page Field Name Exact Value
Google APIs & Services → Credentials Authorized redirect URIs https://n8n.example.com/rest/oauth2-credential/callback
GitHub OAuth Apps → Edit Authorization callback URL https://n8n.example.com/rest/oauth2-credential/callback
Azure AD App registrations → Authentication Redirect URIs (Web) https://n8n.example.com/rest/oauth2-credential/callback
Slack OAuth & Permissions → Redirect URLs Redirect URLs https://n8n.example.com/rest/oauth2-credential/callback

Provider‑Setup Checklist

  • Exact domain – matches the Public URL (including sub‑domains).
  • Protocolhttps:// unless you deliberately run n8n on http in a trusted internal network.
  • No trailing slash – the URI must not end with /.
  • No URL‑encoding – paste the raw URL; n8n will encode it automatically.
  • Save – most consoles require an explicit “Save” before changes take effect.

4. Setting the Redirect URI Inside n8n

  1. Navigate to Credentials → New Credential → OAuth2 API (or edit an existing one).
  2. Fill in Client ID, Client Secret, and any required Scope.
  3. Do NOT edit the Redirect URI field – it is auto‑populated.
  4. Click Test.

If the test succeeds, the credential is stored and the redirect URI is correctly registered with the provider.

Minimal Credential JSON (Export) – Part 1

{
  "name": "Google OAuth2",
  "type": "OAuth2Api",
  "nodes": [
    {
      "parameters": {
        "clientId": "YOUR_CLIENT_ID",
        "clientSecret": "YOUR_CLIENT_SECRET",
        "scope": "https://www.googleapis.com/auth/drive.file"
      },
      "type": "n8n-nodes-base.oauth2Api",
      "name": "Google OAuth2"
    }
  ]
}

Minimal Credential JSON – Part 2 (Redirect URI)

{
  "redirectUri": "https://n8n.example.com/rest/oauth2-credential/callback"
}

EEFA Warning: Do not hard‑code a different redirectUri unless you also update the provider’s whitelist. Mismatched environments (dev vs prod) are a common source of intermittent failures.

5. Verifying the Flow with n8n’s Built‑in OAuth2 Tester

  1. After entering client details, click Test in the credential dialog.
  2. A new browser tab opens the provider’s consent screen.
  3. Approve the requested scopes.
  4. If you are redirected back to n8n and see a *“Success”* toast, the redirect URI is correct.

If the provider shows an error page, copy the message and compare it to the table in Section 3.

6. Advanced Troubleshooting Checklist

Symptom Likely Cause Fix
redirect_uri_mismatch after a domain change Public URL still points to old domain Update Settings → General → Public URL and restart n8n.
Error persists despite matching URIs Provider caches old URIs (common with Google) Re‑save the OAuth client in the provider console or wait up to 10 minutes.
“Invalid request” after consent Trailing slash added by reverse proxy Ensure reverse proxy forwards the exact path without appending /.
OAuth works locally but fails in production Production uses a different sub‑domain Register both dev and prod URIs in the provider console.
“Redirect URI is not whitelisted” after adding https:// Provider only allows http for localhost testing Use a tunneling service (e.g., ngrok) with a consistent sub‑domain and register that URI.

Enable Debug Logging

environment:
  - N8N_LOG_LEVEL=debug

Inspect n8n.log for lines containing OAuth2; they display the full redirect_uri value.

7. Production‑Grade EEFA Enhancements

  • Certificate Management – Deploy a trusted TLS certificate (Let’s Encrypt or enterprise PKI). Self‑signed certs cause most providers to reject the redirect even when the string matches.
  • Environment Variables – Store the public URL components (N8N_HOST, N8N_PROTOCOL, N8N_PORT) in env vars and reference them in your Docker/Kubernetes manifest to avoid drift.
  • Immutable Credential IDs – When rotating client secrets, create a new credential in n8n rather than editing the existing one; this prevents stale redirect‑URI caches.
  • Audit Logging – Set N8N_LOG_OUTPUT=stdout and ship logs to a SIEM. Flag OAuth errors for rapid incident response.

9. Next Steps

  • Secure your n8n instance – configure role‑based access control and enable 2FA.
  • Implement custom OAuth2 providers – when the built‑in list doesn’t cover your API.
  • Automate credential rotation – using n8n workflows and secret managers (AWS Secrets Manager, HashiCorp Vault).

Conclusion

The “redirect_uri_mismatch” error is always a mismatch between n8n’s dynamically built callback URL and the exact URI whitelisted in the OAuth provider. By ensuring the Public URL in n8n matches the domain you register, copying the auto‑generated Redirect URI verbatim, and adhering to the provider’s formatting rules, the OAuth flow completes reliably in any environment. Apply the production‑grade EEFA practices—TLS, immutable credentials, and structured logging—to keep the integration secure and maintainable at scale.

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *