The latest articles on DEV Community by marsdiscovery (@marsdiscovery_3d15f443c16). https://dev.to/marsdiscovery_3d15f443c16 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3967735%2Febcffc8c-37bd-4c4d-a217-71fba4ca3392.jpg https://dev.to/marsdiscovery_3d15f443c16 en marsdiscovery Thu, 04 Jun 2026 07:18:26 +0000 https://dev.to/marsdiscovery_3d15f443c16/the-redirecturi-matched-in-the-dashboard-oauth-still-failed-50hl https://dev.to/marsdiscovery_3d15f443c16/the-redirecturi-matched-in-the-dashboard-oauth-still-failed-50hl <p>We spent an afternoon convinced the identity provider was broken. Login worked locally. Staging failed with the usual vague error — redirect mismatch, invalid request, pick your vendor wording.</p> <p>The redirect_uri in our admin console was copied from the ticket. Character for character, it looked identical to what the browser sent. No trailing slash debate. No http vs https surprise.</p> <p>Then I dumped the authorize URL from the network tab and compared it to what we had registered.</p> <p>One query value had been encoded twice. Another used + for a space in a place our stack later read as a literal plus. The path wasn't wrong. The encoding layers were fighting each other.</p> <p>This is the boring class of bug: nothing shows up in a unit test because each function "works" in isolation. The failure only appears when a full URL travels through a form, a framework helper, and a provider that compares strings literally.</p> <p>What I watch for now:</p> <p>Before blaming the IdP, decode the authorize URL once in a sane viewer. I want to see each query key and value split apart, not a single opaque percent soup.</p> <p>Plus vs %20. application/x-www-form-urlencoded treats + as space. Generic URI encoding uses %20. Mix those rules in one redirect chain and you get ghosts.</p> <p>Nested URLs. Some flows put a return URL inside a query parameter. Encode the inner URL as a component, not as "the whole string again with extra % on the %."</p> <p>One-line error JSON from the token endpoint still shows up in the same incident. Pretty-printing it once saves ten minutes of guessing whether the problem is OAuth or your own handler.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjazxciaz3eehclcrxapo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjazxciaz3eehclcrxapo.png" alt=" " width="800" height="424"></a></p> <p>Browser tabs I keep for these checks — one job per page, local processing, no account for a two-minute look:</p> <p><a href="https://devcove.dev/en/tools/url-encoder/" rel="noopener noreferrer">https://devcove.dev/en/tools/url-encoder/</a></p> <p><a href="https://devcove.dev/en/tools/json-formatter/" rel="noopener noreferrer">https://devcove.dev/en/tools/url-encoder/</a></p> <p><a href="https://devcove.dev/en/tools/base64/" rel="noopener noreferrer">https://devcove.dev/en/tools/url-encoder/</a></p> <p>I maintain a small toolkit called DevCove for exactly these chores (format, encode, decode in the tab I already have open). curl and server logs still win for reproduction; this is for the moment you're staring at a URL in DevTools and need to know if you're looking at double encoding or a real mismatch.</p> <p>Not claiming OAuth is easy. Half our fix was process: register the exact bytes the browser will send, document which encoder each service uses, stop "fixing" URLs by encoding until it looks scary.</p> <p>If you've shipped OAuth lately — where do you catch encoding bugs first? Provider logs, proxy logs, or a scratch pad in the browser?</p> api devjournal security webdev