Google Analytics OAuth2: How to solve error: "redirect_uri_mismatch"?

Question

I'm trying to get this example to work: https://developers.google.com/analytics/devguides/config/mgmt/v3/quickstart/web-php#enable

The error I'm getting is "Error: redirect_uri_mismatch" .

In order to install the google api resources, I used composer with this command:

php composer.phar require google/apiclient:^2.0.0@RC

This installed the "vendor" folder in my root site folder. My index.php and oauth2callback.php files are located in the "public_html" folder.

Here's a screenshot of my error when going to my site:

The weird thing is that if I navigate to the link above that's included in the error message "Visit ...... to update the authorized..", I get this error message: " The OAuth Client Does Not Exist "

If I click on my only available Client ID, I can navigate to see the URI's which I'll screenshot below as well:

As you can see, under Authorized Javascript origins, I have http://localhost listed, and under authorized redirect URIs, I have my live site followed by the "oauthc2callback.php" file extension.

I don't understand how to get rid of the error I'm getting. I've tried replacing the URI's and putting in different JavaScript origins.

Also, for some reason on that last screenshot, it says that I don't have permission to edit this OAuth client, but I can make edits.

The code I have for index.php:

<?php
// Load the Google API PHP Client Library.
require_once '../vendor/autoload.php';

// Start a session to persist credentials.
session_start();

// Create the client object and set the authorization configuration
// from the client_secretes.json you downloaded from the developer console.
$client = new Google_Client();
$client->setAuthConfigFile('../config/client_secrets.json');
$client->addScope('https://www.googleapis.com/auth/analytics.readonly');

// If the user has already authorized this app then get an access token
// else redirect to ask the user to authorize access to Google Analytics.
if (isset($_SESSION['access_token']) && $_SESSION['access_token']) {
    // Set the access token on the client.
    $client->setAccessToken($_SESSION['access_token']);

    // Create an authorized analytics service object.
    $analytics = new Google_Service_Analytics($client);

    // Get the first view (profile) id for the authorized user.
    $profile = getFirstProfileId($analytics);

    // Get the results from the Core Reporting API and print the results.
    $results = getResults($analytics, $profile);
    printResults($results);
} else {
    $redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php';
    header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
}


function getFirstprofileId(&$analytics) {
    // Get the user's first view (profile) ID.

    // Get the list of accounts for the authorized user.
    $accounts = $analytics->management_accounts->listManagementAccounts();

    if (count($accounts->getItems()) > 0) {
        $items = $accounts->getItems();
        $firstAccountId = $items[0]->getId();

        // Get the list of properties for the authorized user.
        $properties = $analytics->management_webproperties
        ->listManagementWebproperties($firstAccountId);

        if (count($properties->getItems()) > 0) {
            $items = $properties->getItems();
            $firstPropertyId = $items[0]->getId();

            // Get the list of views (profiles) for the authorized user.
            $profiles = $analytics->management_profiles
            ->listManagementProfiles($firstAccountId, $firstPropertyId);

            if (count($profiles->getItems()) > 0) {
                $items = $profiles->getItems();

                // Return the first view (profile) ID.
                return $items[0]->getId();

            } else {
                throw new Exception('No views (profiles) found for this user.');
            }
        } else {
            throw new Exception('No properties found for this user.');
        }
    } else {
        throw new Exception('No accounts found for this user.');
    }
}

function getResults(&$analytics, $profileId) {
    // Calls the Core Reporting API and queries for the number of sessions
    // for the last seven days.
    return $analytics->data_ga->get(
    'ga:' . $profileId,
    '7daysAgo',
    'today',
    'ga:sessions');
}

function printResults(&$results) {
    // Parses the response from the Core Reporting API and prints
    // the profile name and total sessions.
    if (count($results->getRows()) > 0) {

        // Get the profile name.
        $profileName = $results->getProfileInfo()->getProfileName();

        // Get the entry for the first entry in the first row.
        $rows = $results->getRows();
        $sessions = $rows[0][0];

        // Print the results.
        print "<p>First view (profile) found: $profileName</p>";
        print "<p>Total sessions: $sessions</p>";
    } else {
        print "<p>No results found.</p>";
    }
}

The code I have for "oauth2callback.php":

<?php
require_once '../vendor/autoload.php';

// Start a session to persist credentials.
session_start();

// Create the client object and set the authorization configuration
// from the client_secrets.json you downloaded from the Developers Console.
$client = new Google_Client();
$client->setAuthConfigFile('../config/client_secrets.json');
$client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/oauth2callback.php');
$client->addScope('https://www.googleapis.com/auth/analytics.readonly');

// Handle authorization flow from the server.
if (! isset($_GET['code'])) {
    $auth_url = $client->createAuthUrl();
    header('Location: ' . filter_var($auth_url, FILTER_SANITIZE_URL));
} else {
    $client->authenticate($_GET['code']);
    $_SESSION['access_token'] = $client->getAccessToken();
    $redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/';
    header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
}

All of this code was taken from the first website example, except with a few minor additions to make it match my system.

Anyone know how I can get rid of this error? What am I doing wrong?

Answer 1

Remember, as far as Google is concerned, "your" server is hostile until you name it "friendly", you must explicitly whitelist every possible source of an OAuth call TO Google.

Google is a clubbouncer, a big, ugly, unmovable bouncer with a a guest list saying to your application: "I will only deal with your request if your exact name OR id is on the list"

Have you tried including, not only localhost, but all other possible origins?

You must list every possible variation of url "root", including explicit IPs.

http://www.example.com
http://example.com
https://example.com
https://www.example.com
http://222.111.0.111
...

dont forget to include

https://accounts.google.com:443

Answer 2

The redirect Uri in the request MUST be exactly the same as one Uri you stored.

I see a / at the end of the stored one you missed in your request.