redirect_uri_mismatch when WordPress admin and site using https and not http

[101sam]

Bug Description

redirect_uri_mismatch when WordPress admin and site using HTTPS and not HTTP

https://accounts.google.com/o/oauth2/auth?response_type=code&access_type=offline&client_id=<>.apps.googleusercontent.com&redirect_uri=http%3A%2F%2F<>%3Foauth2callback%3D1&state&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fwebmasters%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsiteverification%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadsense&prompt=consent

As you can see the redirect_uri is: HTTP and not HTTPS

Steps to reproduce

1. Word press install on HTTPS + Setting General Force secure connections Checked.

2. Define('FORCE_SSL_ADMIN', true) (https://wordpress.org/support/article/administration-over-ssl/)

3. Install Site kit plugin

4. Get your API Credentials

5. Connect see error - 400. That’s an error. Take the error link change from http -> https all works

6. This will continue when you try to connect services. Same problem same solution.

Screenshots

Additional Context

• PHP Version: 7.3.7
• OS: Mac OS
• Browser: Same with chrome, safari, Firefox
• Plugin Version 1.0.4 the same problem we had on 1.0.3
• Device: Desktop

---

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

Implementation Brief

Changelog entry

[jamesozzie]

@limitlessv Can you please follow the steps below to try and proceed with your Site Kit setup:

1. Please check your WordPress site settings under "Settings > General" in your WordPress dashboard. Confirm your WordPress Address (URL) and Site Address (URL) match, and ensure they have a https prefix if you are using a https website.
2. Restart the Site Kit setup process again
3. If the same error appears during authentication in your browser address bar paste the following in: https://developers.google.com/web/site-kit/?sitename=yourwebsitecom&siteurl=http://yourwebsite.com
4. Replace the yourwebsitecom and also http://yourwebsite.com with your own site details. Include the https or http
5. Press enter, with your cursor in the address bar (as if you are visiting that URL)
6. Press the "GET OAUTH CREDENTIALS" button
7. The project details should appear, and you can then copy the credentials and paste them back into the requested field in Site Kit

If the above fails please provide the following:

• Site Health report
• Security / Firewall plugins in use

[101sam]

1. its https + Force secure connections - is checked
2. Done
3. https://developers.google.com/web/site-kit/?sitename=yourwebsitecom&siteurl=http://yourwebsite.com Thats the problem I try to report if the setting: Settings > General Force secure connections - is checked and your site is https the siteurl address should be https not http as it today.

[jamesozzie]

@limitlessv You are correct, if your site is https that's what should be reflected in the full URL. You will see a similar issue here - #338.

Can you try deleting the project from Cloud Console, along with removing any associated API keys before attempting again?

[101sam]

hmm it's the same -

[jamesozzie]

@limitlessv Do you have any other sites on the same server you can test with?

[101sam]

Yes on three different domains, at the moment all of them are Wordpress version 5.2.2, and PHP Version 7.3.7 and all of them had similar issue.

[jamesozzie]

Thanks for the update, I will get this escalated. In the meantime can you send a Site Health report for further troubleshooting?

[101sam]

### wp-core ###

version: 5.2.2
site_language: en_US
user_language: en_US
permalink: /%category%/%postname%/
https_status: true
user_registration: 0
default_comment_status: open
multisite: false
user_count: 2
dotorg_communication: true

### wp-paths-sizes ###

wordpress_path: /opt/bitnami/apps/wordpress/htdocs
wordpress_size: loading...
uploads_path: /opt/bitnami/apps/wordpress/htdocs/wp-content/uploads
uploads_size: loading...
themes_path: /opt/bitnami/apps/wordpress/htdocs/wp-content/themes
themes_size: loading...
plugins_path: /opt/bitnami/apps/wordpress/htdocs/wp-content/plugins
plugins_size: loading...
database_size: loading...
total_size: loading...

### wp-active-theme ###

name: Avada
version: 6.0.2
author: ThemeFusion
author_website: https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226?ref=LimitlessV
parent_theme: none
theme_features: service_worker, theme-color, fusion-builder-options, title-tag, automatic-feed-links, custom-header, custom-background, woocommerce, wc-product-gallery-slider, wc-product-gallery-lightbox, post-formats, post-thumbnails, fusion-builder-demos, menus, align-wide, wp-block-styles, editor-styles, editor-font-sizes, widgets
theme_path: /opt/bitnami/apps/wordpress/htdocs/wp-content/themes/Avada

### wp-themes (3) ###

Twenty Nineteen: version: 1.4, author: the WordPress team
Twenty Seventeen: version: 2.2, author: the WordPress team
Twenty Sixteen: version: 2.0, author: the WordPress team

### wp-plugins-active (20) ###

Advanced Custom Fields PRO: version: 5.8.2, author: Elliot Condon (latest version: 5.8.3)
Bookly: version: 17.5, author: Bookly
Contact Form 7: version: 5.1.4, author: Takayuki Miyoshi
Convert Plus: version: 3.5.1, author: Brainstorm Force
Fusion Builder: version: 2.0.2, author: ThemeFusion
Fusion Core: version: 4.0.2, author: ThemeFusion
Fusion White Label Branding: version: 1.1.3, author: ThemeFusion
LayerSlider WP: version: 6.9.0, author: Kreatura Media (latest version: 6.9.1)
Media Library Folders for WordPress: version: 5.0.3, author: Max Foundry
Media Library Folders for WordPress Reset: version: 5.0.3, author: Max Foundry
Post SMTP: version: 2.0.2, author: Yehuda Hassine
PWA: version: 0.3.0, author: PWA Plugin Contributors
Really Simple SSL: version: 3.2.5, author: Rogier Lankhorst, Mark Wolters
Site Kit by Google: version: 1.0.0-beta.1.0.4, author: Google
Slider Revolution: version: 6.0.9, author: ThemePunch
The Events Calendar: version: 4.9.7, author: Modern Tribe, Inc.
UpdraftPlus - Backup/Restore: version: 1.16.16, author: UpdraftPlus.Com, DavidAnderson
Wordfence Security: version: 7.3.6, author: Wordfence
WP-Optimize - Clean, Compress, Cache: version: 3.0.11, author: David Anderson, Ruhani Rabin, Team Updraft
Yoast SEO: version: 11.9, author: Team Yoast

### wp-plugins-inactive (2) ###

Akismet Anti-Spam: version: 4.1.2, author: Automattic
Jetpack by WordPress.com: version: 7.6, author: Automattic

### wp-media ###

image_editor: WP_Image_Editor_GD
imagick_module_version: Not available
imagemagick_version: Not available
gd_version: bundled (2.1.0 compatible)
ghostscript_version: not available

### wp-server ###

server_architecture: Linux 4.9.0-9-amd64 x86_64
httpd_software: Apache
php_version: 7.3.7 64bit
php_sapi: fpm-fcgi
max_input_variables: 3000
time_limit: 180
memory_limit: 512M
max_input_time: 300
upload_max_size: 40M
php_post_max_size: 40M
curl_version: 7.45.0 OpenSSL/1.0.2r
suhosin: false
imagick_availability: false
htaccess_extra_rules: true

### wp-database ###

extension: mysqli
server_version: 8.0.16
client_version: mysqlnd 5.0.12-dev - 20150407 - $Id: 7cc7cc96e675f6d72e5cf0f267f48e167c2abb23 $

### wp-constants ###

WP_HOME: https://limitlessv.com/
WP_SITEURL: https://limitlessv.com/
WP_CONTENT_DIR: /opt/bitnami/apps/wordpress/htdocs/wp-content
WP_PLUGIN_DIR: /opt/bitnami/apps/wordpress/htdocs/wp-content/plugins
WP_MAX_MEMORY_LIMIT: 512M
WP_DEBUG: false
WP_DEBUG_DISPLAY: true
WP_DEBUG_LOG: false
SCRIPT_DEBUG: false
WP_CACHE: true
CONCATENATE_SCRIPTS: undefined
COMPRESS_SCRIPTS: undefined
COMPRESS_CSS: undefined
WP_LOCAL_DEV: undefined

[aaemnnosttv]

The oauth2callback redirect URI is generated from your home_url() which looks as if it should be correct based on the constants you're using.

https://github.com/google/site-kit-wp/blob/b52dc24828a81985b52501743a2c8ee3022db561/includes/Core/Authentication/Clients/OAuth_Client.php#L592-L594

The only thing I can think of is if something is maybe filtering home_url to use an http scheme, but from what I see this does not appear to be the case.

Another thought might be a conflict with another plugin, particularly one that might also load the PHP Google API client (such as UpdraftPlus) which could lead to conflicts with its configuration. Can you try with UpdraftPlus disabled, and if that doesn't work all other plugins disabled as well just to rule out a conflict?

[priit2000]

Same problem.

1. I get the client configuration and
2. Paste it to the field, then
3. "proceed" takes me to
4. "Authenticate with Google" where I get the 400 error then I use the
5. "https://developers.google.com/web/site-kit/?sitename=yourwebsitecom&siteurl=http://yourwebsite.com" and get the
6. "client configuration snippet"
7. Paste it to the field, then
8. "proceed" takes me to
9. "Authenticate with Google" where I get the 400 error then I use the
10. "https://developers.google.com/web/site-kit/?sitename=yourwebsitecom&siteurl=http://yourwebsite.com" and get the
11. "client configuration snippet"
12. Paste it to the....

[jamesozzie]

@limitlessv Did you have any luc authenticating Site Kit after deactivating Updraft Plus? If not can you also attempt after deactivating Really Simple SSL.

@priit2000 If you have any of the mentions plugins active and you are encountering the same "redirect_uri_mismatch" error can you try the above suggestions? If that fails to resolve the error please share you Site Health report we can see if we spot anything.

[jamesozzie]

Closing this due to no response.

@limitlessv @priit2000 If you still encountering the same issue please test with Really Simple SSL & Updraft Plugin deactivated. Feel free to reopen if the same issue persists.

[priit2000]

Nothing changed. It's still not working, but I don't have time to do this right now. Uninstalled the plugin. Will try again in a couple of months.

[101sam]

Sorry took me a while. We just finished to set up an entirely new customer New Domain: New mails New Wordpress with the following plugin: All In One SEO Pack Post SMTP Really Simple SSL Redirection Site Kit by Google Wordfence Security Media Library Folders for WordPress

Register new accounts for google services: Search Console is connected AdSense is connected Analytics is connected PageSpeed Insights is connected Optimize is connected Tag Manager is connected

With almost all services the return was: HTTP not https as it should be. Not sure the How, Where, When the HTTPS switch to HTTP but its always return as HTTP.

But not all cases we got the error - 400 most of the time it was an error of return HTTP instead of HTTPS

[jamesozzie]

@limitlessv Thanks for the update. Secure redirection could be configured at host level, .htaccess, plugin or WordPress settings level. Can you test with "Really Simple SSL" deactivated, and start the Site Kit setup process again after disconnecting?

[101sam]

---

We deactivate all plugin except mail. We remove all setting in .htaccess just in case. We used the "Twenty Seventeen" theme no posts only the defaults. And after all of that we can't get back to site kit: Unknown Error (code: redirect_uri_mismatch).

about an hour or more later and a long process we disabled http redirect in:

/opt/bitnami/apache2/conf/bitnami/bitnami.conf

Our comments start with ###

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  RewriteEngine On
  # BEGIN: Enable HTTP to HTTPS redirection
  ###RewriteCond %{HTTPS} !=on
  ###RewriteCond %{HTTP_HOST} !^(localhost|127.0.0.1)
  ###RewriteCond %{REQUEST_URI} !^/\.well-known
  ###RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
  # END: Enable HTTP to HTTPS redirection

which changed during the SSL installing certificate using:

/opt/bitnami/bncert-tool

---

======

It does not solve the site kit problem of redirect but enabled us to reactivate it using mixed-mode HTTPS to return to HTTP

======

[jamesozzie]

@limitlessv Thanks for checking. Now that you have removed redirection can you also attempt to connect Site Kit again after deactivating the following plugins

• Really Simple SSL
• Redirection

[101sam]

Not sure what you asking for: as you can see all plugins disabled (inactive) except two: Post SMTP - for emailing Google Site Kit

[jamesozzie]

@limitlessv Have you been able to setup Site Kit successfully since the last plugin update? Looking at one of your screenshots I can see your site is secure (https) although the "Redirect URI" is http, which could be the cause. If you want to manually obtain your credentials you can do so by accessing the following URL, modifying it with your own details:

https://developers.google.com/web/site-kit/?sitename=**sitename**&siteurl=http://**sitename**.com

[priit2000]

Yes, it works now

Best Regards Priit Kallas +372 5023598

---

Elite Camp 2020: June 11-13 in Estonia Leading Traffic and Conversion Event Find out more https://dgd.ee/ec

On Fri, 11 Oct 2019 at 21:03, James G notifications@github.com wrote:

@limitlessv Have you been able to setup Site Kit successfully since the last plugin update? Looking at one of your screenshots I can see your site is secure (https) although the "Redirect URI" is http, which could be the cause. If you want to manually obtain your credentials you can do so by accessing the following URL, modifying it with your own details:

https://developers.google.com/web/site-kit/?sitename=**sitename**&siteurl=http://**sitename**.com

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.