I am trying to create a Android project where I authorize a user by having him log into Amazon Cognito in a browser, which should then redirect back to my app. Unfortunately, when the browser opens, instead of reaching the proper sign-in page, I keep getting this error:

In my AuthenticatorActivity.java:

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_authenticator);

    Uri authzUrl = Uri.parse("https://<myDomain>.auth.us-west-2.amazoncognito.com/login?response_type=token&client_id=<myClientId>&redirect_uri=myapp://mainAct");
    Intent launchBrowser = new Intent(Intent.ACTION_VIEW, authzUrl);
    startActivity(launchBrowser);
}

In AndroidManifest:

<activity android:name=".MainActivity">
    <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:host="mainAct" android:scheme="myapp"></data>
    </intent-filter>
</activity>

I can't figure out what I am doing wrong here. Am I missing a step?

Ok, I'm leaving a tidbit here for whoever might find it next. I hit this issue exact same issue, but as a newbie to Cognito and IdP/SSO I had no idea how to fix this. Here is what I did to eventually fix this. We were integrating with an external service, and we were getting this error. Under Chrome Developer Tools -> Network, I started to record the URL's visited, then I tried the SSO integration again. There was a URL that showed up in the list which visited Cognito with a redirect to URL. That URL must be the same URL as listed under the Callback URL for Cognito.

Hopefully, this saves someone some time in the future.

Do check your callback url and sign out url. The corect format is :

app_client_name:https://www.myapp.com/

redirect_uri (1st img) must be the same as in the Callback URL(s) field (2nd img).

1st img

2nd img (App integration -> App client settings under AWS)

Extending on the answer by Dimitris https://mcmap.net/q/298957/-amazon-cognito-how-to-stop-getting-quot-redirect_mismatch-quot-error-when-redirecting-from-browser-to-android-app

If you have a DNS route53 specified for your load balancer. You can specify the same in the callback URL.

https://www.example.com/oauth2/idpresponse

Ref: https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-alb-authentication-idp/

Another silly mistake I did and took me hours to figure it out was the fact that the value of redirectSignIn in aws-exports.js was completely wrong. When you modify the value of this configuration multiple times through Amplify CLI, it appends a comma treating the value as a List giving you something like this

 "redirectSignIn": "http://localhost:3000/,http://localhost:3000/,http://localhost:3000/,http://localhost:3000/",

Unfortunately, the value is treated as a string when used using HostedUI.

An answer not covered here(probably due to docs being updated recently) is about logout_uri. If you are setting your logout URL to a URL different from your log in URL, you will get redirect mismatch error with redirect_uri parameter.

For e.g.

Log in URL: http://localhost:3000/log_in.html
Call back URL(after login): http://localhost:3000/logged_in.html
Sign out URL(after logout): http://localhost:3000/logged_out.html

I was sending request using redirect_uri parameter to a custom sign out URL page like this

https://xxx.auth.ap-southeast-1.amazoncognito.com/logout?client_id=xxx&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Flogged_out.html

which resulted in redirect mismatch error.

I had to change to logout_uri to make it work.

https://xxx.auth.ap-southeast-1.amazoncognito.com/logout?client_id=xxx&response_type=code&logout_uri=http%3A%2F%2Flocalhost%3A3000%2Flogged_out.html

PS: Make sure that your redirect_uri or logout_uri is same in AWS Cognito console and your code otherwise it will result in redirect mismatch error.

Documentation: https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html#get-logout

I am using amplify with cognito and encountered this error. Fixed by following. In aws-export.ts, there is a redirectSingIn url, it must be the exact same url as in cognito/app Integration/app client setting/ callback url which is where the application runs.

Update: I encountered this problem again in AWS cognito, user pool, App client, client web. After updating the Callback URL(s), things starts to break, even the Callback URL(s) is valid. Later I figured out that it will take some time for the change to sync in. Need to walk away about 10 minutes, then try again.

I solved this by remembering to include http:// in the callbackUrl on the frontend.

const redirect_url=`${window.location.origin}`;

It probably wont be a common reason, but was why mine broke.

This is because of the mismatched url for either redirectSignIn or redirectSignOut. Please check both setup in aws console and code aws_config, and make them consistent.

aws console redirect uri configuration

In my case the error was due to CloudFront serving the old files.

To solve it; you can invalidate CloudFront files via AWS console. p.s. can use /* to invalidate all of the files https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html

You absolutely need to make sure these items are checked if you're requesting a scope, otherwise you get redirect_mismatch (unhelpful error name).

With a config of below from the tutorial here

Auth.configure({
  oauth: {
    domain: aws.idpDomain,
    scope: ['email', 'openid'],
    // we need the /autologin step in between to set the cookies properly,
    // we don't need that when signing out though
    redirectSignIn: aws.redirectSignIn,
    redirectSignOut: aws.redirectSignOut,
    responseType: 'token',
  },
})

In my case is was because in the console I was redirecting to https://localhost:4200 but in the URL I had http://localhost:4200. Note the SSL/TLS version vs. non-SSL/TLS

In the context of Amplify + multiple redirection URLs (inspired by @Oscar Nevarez) I looked at src/aws-export.js :

        "redirectSignIn": "https://example.com/,http://localhost:5173/",
        "redirectSignOut": "https://example.com/,http://localhost:5173/",

Which is NOT digested by Cognito when passed as URL redirect_uri parameter.

My fix was to override these values in src/main.js as follows

awsconfig.oauth.redirectSignIn = `${window.location.origin}/`
awsconfig.oauth.redirectSignOut = `${window.location.origin}/`

Worked both for local and deployed

It's important to say that every time that you change some on your cognito app client the sso url for display the login screen on the IDP also changes, so keep that in mind to update that url where ever you're storing. In my case that was the problem

Assuming your website is behind an application load balancer (ALB), and you have a listener rule that uses a Cognito user pool and Path is * in the IF rule statement, you should configure your 0Auth client app callback url, like:

https://<your-ALB-DNS>/oauth2/idpresponse

This make it work for me at least, with no other fancy config.

Keep in mind though that this will just provide a layer on top of whatever you have behind the ALB. If you have some additional authentication method in it, you have to configure that as well.

1. For me, make sure that you http://localhost:8000/accounts/amazon-cognito/login/callback/ and not http://127.0.0.1:8000/.... Because, 127.0.0.1 and localhost are technically different when it comes to URI redirects. Use localhost.
2. Check OpenID Connect scopes as email, openid, profile in case of scope error

I followed this video "Adding Facebook Sign In for Web Applications with AWS Amplify": https://dev.to/aws/adding-facebook-sign-in-for-web-applications-with-aws-amplify-2fc8

It deploys to localhost, so I then deployed it to a Amplify URL ... I had the same redirect error ad it turned out that I hadn't updated aws-exports.js in the src directory.