OAuth 2.0 Integration Tips: When testing your redirect URL….

Hey Devs,

I’ve been playing around with the new QuickBooks Online OAuth 2.0 integration and came across an error which caused me a few hours of grief. To save you guys time I decided to write about it and show you how to avoid this minor hiccup.

The Redirect URL

Your app serves the Redirect URI to users upon authentication. What this means is, this is the URI to which your users get redirected after successfully signing in to your app. You can set this up in the Redirect URIs section of the Keys tab in your app’s dashboard from your Intuit Developer account.

For development purposes, you’ll most likely going to redirect it to your localhost as we did with Redirect URI 2 in this screenshot. By the way, we keep Redirect URI–supplied by Intuit Developer on your behalf–intact to allow the OAuth 2.0 playground to work with your credentials. This is not required but is convenient to have for testing purposes.

So what is the catch?

The tricky thing is the Redirect URIs description mentions, “All URI requests must use HTTPS.” This is true for all cases except for one, and that one is when you are testing on your localhost. In this case, using HTTPS results in the following error when you test the authentication flow.

Avoid this hiccup by simply use HTTP instead of HTTPS for your localhost redirect URI. That’s it!

Avoid this pitfall to save yourself some time and grief.

Happy Coding!

Jimmy Wong

Intuit Developer Evangelist.






15 responses to “OAuth 2.0 Integration Tips: When testing your redirect URL….”

  1. QATeam Avatar

    we are also facing the same problem

    1. Jimmy Wong Avatar
      Jimmy Wong

      Please see my answer to Robert.

  2. Robert Avatar

    We are also getting this “We’re Sorry” message.

    When we look at the Keys tab there is no “Redirect URIs” section. That tab only contains the sections that your picture shows as “Development keys” and “Production keys.” In fact, we can’t find a “Redirect URIs” section anywhere.

    However, in the “Settings” tab there is a section called “Open ID” with options to enter the OpenID URL. The help for that says “Intuit’s OpenID service redirects to this URL, passing in the OpenID identity of the user.”

    Have they moved the redirect URL into the Settings tab? Is this the same thing or something else?

    1. Jimmy Wong Avatar
      Jimmy Wong

      Hey Robert, if you’re not seeing the Redirect URIs section in your Keys Tab, it means you’re app was created before July 17th and is not an OAuth 2.0 but an OAuth 1.0, which this article does not pertain to. I would recommend that you either create a new app to take advantage of OAuth 2.0 and its much easier implementation model, or take your question to the QuickBooks Developer Support Forums here, https://help.developer.intuit.com/s/topic/0TOG0000000kF9JOAU/quickbooks-online

  3. Manoj Avatar

    For testing, I was using HTTPS URL through ngrock, but was still getting error.
    Later realized, I had not configured Redirect URL in app config. Configuring it made, OAuth sample code work.

    1. Jimmy Wong Avatar
      Jimmy Wong

      Thanks for the comment Manoj, I just wrote an article about that as well, and being very mindful of what you enter into the Redirect URI, check it out! https://developer.intuit.com/hub/blog/2017/10/31/oauth-2-0-integration-tips-careful-entering-redirect-uri

      Thanks for reading!

  4. Kris Avatar

    I’m new to OAuth2 but understand the process flow. For production, why can’t we use localhost? I’m doing ETL work and running all scripts locally with Python and Jupyter Notebook. I can’t receive the response back when I try to refresh the access token. Do I have to have a server (i.e. personal website) in order to receive the token response?

    1. Jimmy Wong Avatar
      Jimmy Wong

      Hey Kris,

      As far as I know, localhost won’t work outside of your network.

      Best Regards,

  5. Vaibhav Avatar

    Is there a possibility set the redirect url through code when the OAuth2 flow is initiated. Now if I have 1000 sites, each with a different host name, how can I setup the redirect url for each one of them? I would like that to be set dynamically with the host name of the site for which authentication is requested.

    1. Jimmy Wong Avatar
      Jimmy Wong


      Check out step 4 in this detail explanation of the Oauth 2.0 implementation of the NodeJS SDK. https://developer.intuit.com/hub/blog/2017/10/25/oauth-2-0-support-quickbooks-nodejs-sdk-explained


      1. Tigran Avatar

        Jimmy, but still even with redirect_uri is available in the “requestToken” request, the system still requires this redirect URL to be manually entered in App configuration page, which is a bit hard to do in a dynamic SaaS applications.

        1. Jimmy Wong Avatar
          Jimmy Wong

          Hey Tigran,

          I believe this is a use case for which we hadn’t designed the portal for. Just to make sure we haven’t missed anything, can you please file a ticket and provide a brief explanation of the feature you are looking for so our engineering staff can see if they have an appropriate solution for you or if its something we need to take into consideration for in the future.


          1. ray_carneiro@fulcrumww.com Avatar

            I am running into the same issue. I have a SaaS application but I cannot get “code” query string on my callback.

            If you make the request for OAuth2 on browser, it will prompt you to “Accept” and redirect, but doing over APIs calls, it is not possible.

  6. Ramin Avatar

    Hi Jimmy, I am trying to connect QB to a multi tenant CRM where each customer has its own sub-domain and this seem to require manual entry for all domains one by one? is there any work around for this? what is the QB solution for this scenarios I would appreciate answer where manually entry is not required.

  7. Magnitude Avatar

    For the production account, I am unable to give in https://localhost:{callbackport}
    why is this not acceptable.

Leave a Reply

Your email address will not be published. Required fields are marked *