Google TTS Authentication: Error 400: redirect_uri_mismatch

Tl;dr:
Trying to create an AuthCode following the Url example of settings/services/org.openhab.voice.googletts google gives me an Error page 400: redirect_uri_mismatch instead of an AuthCode

This is openHAB 3.3.0.M6 running on debian buster
I had set up google tts in september 2021 and it had worked nicely for me since then. Yesterday it stopped in mid-talk, between one SAY and the other it stopped working.

First was:

Error initializing Google Cloud TTS service: An unexpected IOException occurred: java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: Buffering capacity 2097152 exceeded

and after that any attempt to say made a log line: Missing service configuration.

After a while there was an addition to that: Error fetching access token. Invalid authcode? Please generate a new one.

I went on the UI page, copied, edited the url for the authCode generation. Those were of the redirect_uri=urn:ietf:wg:oauth:2.0:oob kind, Google would give me an AuthCode but as soon as I put that into the form the log signaled failure:

2022-06-16 15:14:11.849 [ERROR] [oauth2client.internal.OAuthConnector] - grant type authorization_code to URL https://accounts.google.com/o/oauth2/token failed with error code redirect_uri_mismatch, description Bad Request
2022-06-16 15:14:11.858 [WARN ] [ce.googletts.internal.GoogleCloudAPI] - Error initializing Google Cloud TTS service: Error fetching access token. Invalid authcode? Please generate a new one.

I set TRACE on:
openhab> log:set TRACE org.openhab.voice.googletts openhab> log:set TRACE org.openhab.core.auth.oauth2client
and then entred a new AuthCode into the form. The log reported:

2022-06-16 16:41:17.349 [DEBUG] [.googletts.internal.GoogleTTSService] - Updating configuration
2022-06-16 16:41:17.351 [TRACE] [.googletts.internal.GoogleTTSService] - New configuration: GoogleTTSConfig{pitch=0.0, speakingRate=1.0, volumeGainDb=0.0, purgeCache=false}
2022-06-16 16:41:17.352 [DEBUG] [ce.googletts.internal.GoogleCloudAPI] - Trying to get access and refresh tokens.
2022-06-16 16:41:17.369 [DEBUG] [oauth2client.internal.OAuthConnector] - Oauth request parameter grant_type, value authorization_code
2022-06-16 16:41:17.370 [DEBUG] [oauth2client.internal.OAuthConnector] - Oauth request parameter code, value 4/1AX4XfWgGm9_blablablap2gyM315R6znIAE5Nl78TFjv_50TLkuW0g
2022-06-16 16:41:17.372 [DEBUG] [oauth2client.internal.OAuthConnector] - Oauth request parameter redirect_uri, value https://www.google.com
2022-06-16 16:41:17.373 [DEBUG] [oauth2client.internal.OAuthConnector] - Setting authentication for clientId 537129798020-blablabla1o1kii7bqav309.apps.googleusercontent.com. Using basic auth false
2022-06-16 16:41:17.602 [ERROR] [oauth2client.internal.OAuthConnector] - grant type authorization_code to URL https://accounts.google.com/o/oauth2/token failed with error code invalid_grant, description Bad Request
2022-06-16 16:41:17.608 [DEBUG] [ce.googletts.internal.GoogleCloudAPI] - Error fetching access token: null

When I noticed that redirect_uri was completly different than what the UI gave me I decided to try an update and indeed there was a new oh milestone to install.

Unfortunately, while I see a change it still doesn’t work. there is a different value for the redirect_uri parameter, https://www.google.com.
Following the UI’s example I can open a new tab but instead of a login screen and finally the Authcode I get an error message Error 400: redirect_uri_mismatch

I searched the google cloud console, created an additional client, later created a new project to follow the docu step by step. No change whatever I tried.
Is there a place where I would need to enter the redirect uri so it can be matched successfully?

After hours of trying I feel lost. Thanks for any input

To put my question in other words:

what should be the propper value for the &redirect_uri= parameter part of the url to get an AuthCode?

UI used to advice to use
redirect_uri=urn:ietf:wg:oauth:2.0:oob but doing this now gets an error message about invalid request and the redirect-uri not following googles guidelines.

With the latest milestone the UI proposes
redirect_uri=https://www.google.com but this ends in redirect_uri_mismatch

so, no AuthCode, no voice.

Talking to myself.
Anyway, I finally got it working and the steps may help others.
(thanks to Google add-ons use deprecated OAuth out-of-band (flow) · Issue #12455 · openhab/openhab-addons · GitHub )

So, following the steps at Google Cloud Text-to-Speech - Voices | openHAB with some corrections:

• Select application type Web application
• add https://www.google.com to the “Authorized redirect URIs”.

Now you can use the url the UI suggests to get the AuthCode,
https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/cloud-platform&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&client_id=yourId

Click your way through the warnings until a “Continue” opens a Google Search page for you. And there, in the address line, you may find the AuthCode:

https://www.google.com/?code= AuthCode&scope=https://www.googleapis.com/auth/cloud-platform

Copy the value for code only! Paste that into the form of the UI and finally it works again.
Unfortunately only for a few hours - see update below!

Thanks for posting @rubens. I’ve followed along, but running into issues - seems the code just isn’t working for me
I’m on OpenHab 3.2.0, release build

I’ve followed along with your steps, and accessed the url to obtain my auth code.

• I choose my google account to use,
• I then get a note that " Google hasn’t verified this app", click advanced and move forward
• I then see “Openhab home use wants access to your Google Account” (openhab home use is my app name)
• I then get the google search page, with the code in the URL title

https://www.google.com/?code=<my-code-here>&scope=https://www.googleapis.com/auth/cloud-platform

Code looks like this (Adjusted to maintain privacy)
4/0AX4XfWjqXm7_XXX1xxx5lr3v_u2xHm09qHMQZ6YPvG7W6zEGr2XXX8XXXXXXXX2eopuT-sQ

Paste that code into the openhab config and save
I get the following errors in the log

2022-06-23 15:29:28.631 [ERROR] [oauth2client.internal.OAuthConnector] - grant type authorization_code to URL https://accounts.google.com/o/oauth2/token failed with error code redirect_uri_mismatch, description Bad Request
2022-06-23 15:29:28.636 [WARN ] [ce.googletts.internal.GoogleCloudAPI] - Error initializing Google Cloud TTS service: Error fetching access token. Invalid authcode? Please generate a new one.

Wondering if you had any thoughts on this?
Thanks

Full log with the trace enabled as you described above

2022-06-23 15:50:57.908 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : ConfigurableComponentHolder configuration updated for pid org.openhab.voice.googletts with change count 5
2022-06-23 15:50:57.910 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : Querying state active
2022-06-23 15:50:57.912 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : Querying state active
2022-06-23 15:50:57.914 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : invoking modified: updateConfig: parameters [org.apache.felix.scr.impl.helper.ReadOnlyDictionary]
2022-06-23 15:50:57.915 [DEBUG] [.googletts.internal.GoogleTTSService] - Updating configuration
2022-06-23 15:50:57.917 [TRACE] [.googletts.internal.GoogleTTSService] - New configuration: GoogleTTSConfig{pitch=0.0, speakingRate=1.0, volumeGainDb=0.0, purgeCache=true}
2022-06-23 15:50:57.918 [DEBUG] [ce.googletts.internal.GoogleCloudAPI] - Trying to get access and refresh tokens.
2022-06-23 15:50:57.927 [DEBUG] [oauth2client.internal.OAuthConnector] - Oauth request parameter grant_type, value authorization_code
2022-06-23 15:50:57.929 [DEBUG] [oauth2client.internal.OAuthConnector] - Oauth request parameter code, value 4/0AXXXXWjqXm7_DCM1MN5lr3v_u2xHm09qXXXXXXX6zEGr2Whv8AnDduUzg2eopuT-sQ
2022-06-23 15:50:57.931 [DEBUG] [oauth2client.internal.OAuthConnector] - Oauth request parameter redirect_uri, value urn:ietf:wg:oauth:2.0:oob
2022-06-23 15:50:57.933 [DEBUG] [oauth2client.internal.OAuthConnector] - Setting authentication for clientId 122825148725-p7u1507ihXXXXXta429bvf2tnbd4h0c.apps.googleusercontent.com. Using basic auth false
2022-06-23 15:50:58.199 [ERROR] [oauth2client.internal.OAuthConnector] - grant type authorization_code to URL https://accounts.google.com/o/oauth2/token failed with error code invalid_grant, description Bad Request
2022-06-23 15:50:58.204 [DEBUG] [ce.googletts.internal.GoogleCloudAPI] - Error fetching access token: null
org.openhab.core.auth.client.oauth2.OAuthResponseException: null
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
	at java.lang.reflect.Constructor.newInstance(Constructor.java:490) ~[?:?]
	at com.google.gson.internal.ConstructorConstructor$3.construct(ConstructorConstructor.java:110) ~[bundleFile:?]
	at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:212) ~[bundleFile:?]
	at com.google.gson.Gson.fromJson(Gson.java:932) ~[bundleFile:?]
	at com.google.gson.Gson.fromJson(Gson.java:897) ~[bundleFile:?]
	at com.google.gson.Gson.fromJson(Gson.java:846) ~[bundleFile:?]
	at com.google.gson.Gson.fromJson(Gson.java:817) ~[bundleFile:?]
	at org.openhab.core.auth.oauth2client.internal.OAuthConnector.doRequest(OAuthConnector.java:319) ~[?:?]
	at org.openhab.core.auth.oauth2client.internal.OAuthConnector.grantTypeAuthorizationCode(OAuthConnector.java:223) ~[?:?]
	at org.openhab.core.auth.oauth2client.internal.OAuthClientServiceImpl.getAccessTokenResponseByAuthorizationCode(OAuthClientServiceImpl.java:211) ~[?:?]
	at org.openhab.voice.googletts.internal.GoogleCloudAPI.getAccessToken(GoogleCloudAPI.java:186) [bundleFile:?]
	at org.openhab.voice.googletts.internal.GoogleCloudAPI.setConfig(GoogleCloudAPI.java:152) [bundleFile:?]
	at org.openhab.voice.googletts.internal.GoogleTTSService.updateConfig(GoogleTTSService.java:236) [bundleFile:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:244) [bundleFile:?]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$500(BaseMethod.java:41) [bundleFile:?]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod$Resolved.invoke(BaseMethod.java:685) [bundleFile:?]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod.invoke(BaseMethod.java:529) [bundleFile:?]
	at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:318) [bundleFile:?]
	at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:308) [bundleFile:?]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.invokeModifiedMethod(SingleComponentManager.java:854) [bundleFile:?]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.modify(SingleComponentManager.java:808) [bundleFile:?]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:723) [bundleFile:?]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:684) [bundleFile:?]
	at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:437) [bundleFile:?]
	at org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:347) [bundleFile:?]
	at org.apache.felix.scr.impl.manager.RegionConfigurationSupport$2.configurationEvent(RegionConfigurationSupport.java:115) [bundleFile:?]
	at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1720) [bundleFile:?]
	at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1662) [bundleFile:?]
	at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122) [bundleFile:?]
	at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:84) [bundleFile:?]
	at java.lang.Thread.run(Thread.java:829) [?:?]
2022-06-23 15:50:58.209 [WARN ] [ce.googletts.internal.GoogleCloudAPI] - Error initializing Google Cloud TTS service: Error fetching access token. Invalid authcode? Please generate a new one.
2022-06-23 15:50:58.210 [DEBUG] [ce.googletts.internal.GoogleCloudAPI] - Cache purged.
2022-06-23 15:50:58.211 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : invoked modified: updateConfig
2022-06-23 15:50:58.213 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : No change in target property for dependency $000: currently registered: true
2022-06-23 15:50:58.214 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : No change in target property for dependency $001: currently registered: true
2022-06-23 15:50:58.215 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : Querying state active
2022-06-23 15:50:58.217 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : ImmediateComponentHolder Finished configuring the dependency managers for component for pid org.openhab.voice.googletts 
2022-06-23 15:50:58.218 [DEBUG] [.googletts.internal.GoogleTTSService] - bundle org.openhab.voice.googletts:3.2.0 (303)[org.openhab.voice.googletts.internal.GoogleTTSService(364)] : ImmediateComponentHolder Will not enable component for pid org.openhab.voice.googletts: holder enabled state: true, metadata enabled: true 

I had to change things on my google cloud account side.

• Select application type Web application
• add https://www.google.com to the “Authorized redirect URIs”.

redirect_uri_mismatch simply says that the redirect_uri you transmit with the request isn’t identical with the uri you saved as an Authorized redirect URI

Please double check you changed to the new ID in the openhab config. form.

As to the version, I really have no knowledge what relevant changes were made in which version. From the github thread I linked I took the impression that things were modified for the current milestone. You may want to read there and compare with your situation.

I was an a milestone version already when I started to get errors.
Good luck!

just noticed this in the TRACE you posted:

``Oauth request parameter redirect_uri, value urn:ietf:wg:oauth:2.0:oob```

This is the old way of doing it. Google has deprecated it, or in fact disabled it to start new authentications. I’m not really sure from which source it’s been taken before it ends in that log, but clearly this uri won’t match https://www.google.com

Update:

I had assumed this was the solution already, but something was still missing. The authorization was valid only for a while and broke with the first attempt to refresh it.

In order to get a token which can be refreshed later the request uri needs an additional parameter &prompt=consent

So it looks like this:

https://accounts.google.com/o/oauth2/v2/auth?scope=https://www.googleapis.com/auth/cloud-platform&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=https://www.google.com&prompt=consent&client_id= yourId

@rubens Did you confirm that adding &prompt=consent resolved the issue you were having. If so, I can prepare a PR to fix the README, and possibly add a check in the code to complain if the refreshToken is null.

I implemented it before posting the update so it’s life for about 20h now. During this period I saw 7 log entries:
grant type refresh_token to URL https://accounts.google.com/o/oauth2/token success

googletts was active whenever I used it over this period.

Based on that evidence I’m confident the issue is fixed.
Thank you so much for your contribution!

FTR

One caveat remains: when using textual config for googletts I had to re-authorize after each openhab restart, probably cause the Authcode remained in the config file but is used up after the authorization. Tthus I returned to configuring this via UI.

Thank you all, that’s cost me hours.

BTW: during the redirect journey a google dialog asks me to grant access to openhab2 for my openhab3 installation.

I doubt Google would know any about oh3 or oh2 unless you told it in some config detail so you may want to double-check those. Can feel confusing, agreed.

Since web searching for an error I was directed to my own thread I’ll add the tidbit here.

I saw a slightly different error today:

[WARN ] [ce.googletts.internal.GoogleCloudAPI] - Error initializing Google Cloud TTS service: An unexpected IOException occurred: java.util.concurrent.TimeoutException: Total timeout 5000 ms elapsed

Getting a new authCode etc. did not help.
Turned out the problem was an errorneous name server config - while it did return results from the cli it was slow.
Just a reminder that many different scenarios may lead to errors at that line.

Not sure if relevant, but for me removing the last slash / from url www.google.com"/" as Authorised redirect URIs solved it for me. But with the last slash it didnt work.