All articles
    Authentication

    Debugging a Broken Google OAuth2 Integration for a Mental Healthcare Provider

    April 15, 2026 6 min readClient: Bonanno Mental Healthcare
    OAuth2Google APIsC#ASP.NETAuthentication

    3 Hours

    Time to Fix

    David Bonanno

    Bonanno Mental Healthcare

    The Emergency

    Mental healthcare software can't be down. When Bonanno Mental Healthcare's Google login stopped working for their patient portal, it wasn't a minor UX issue, patients couldn't access their records and appointments. The existing developer had been debugging for two days without resolution. The client posted on Upwork as a last resort.

    Diagnosis in 90 Minutes

    The first step is never touching code, it's reading the error. The OAuth2 error logs showed:

    redirect_uri_mismatch
The redirect URI in the request did not match a registered URI

    Classic error. But also misleading, the redirect URIs registered in Google Cloud Console appeared to match the application config exactly. So what changed?

    The answer was in the recent deployment history: an SSL certificate renewal had changed the canonical domain from http:// to https://. Google OAuth2 treats http://app.example.com/callback and https://app.example.com/callback as entirely different redirect URIs. The application was now sending HTTPS authorization requests, but the Google Cloud Console credential still had only the HTTP URI registered.

    Why the Original Developer Missed It

    The mismatch is subtle because the Google Cloud Console UI shows the registered URI as a plain string, it doesn't visually highlight the protocol prefix. Someone comparing the two URIs quickly can easily overlook http vs https. The error message says "did not match" but doesn't tell you which character is wrong.

    The Fix

    Two steps:

    1. Added the HTTPS redirect URI to the Google Cloud Console OAuth 2.0 credentials
    2. Audited all other OAuth callback registrations in the application to ensure no other HTTP/HTTPS mismatches existed elsewhere (there was one more, on the admin panel login)

    Total time from first look to deployed fix: 3 hours.

    Prevention: What to Check After Any SSL or Domain Change

    OAuth2's strict redirect URI matching is a security feature, it prevents authorization code interception attacks. But it creates a sharp edge when HTTPS is added, domains change, or ports shift. After any such change:

    • Audit every OAuth 2.0 credential in Google Cloud Console for all environments (dev, staging, prod)
    • Check that the protocol (http vs https), domain, port, and path all match exactly what the application sends
    • Test the login flow in each environment before declaring the SSL migration complete

    David Bonanno's review says it best: "He didn't even bill me for much time at all. I felt like he should have billed me for more, so I gave him a bonus."

    Have a similar challenge?

    We've solved problems like this before. Tell us about your project and we'll get back to you within 24 hours.

    Get in touch

    Related service

    API Integration Services

    View service

    More articles

    Enterprise

    How We Migrated the UN's Legacy WCF Services to REST API Without Downtime

    7 min read    Cloud Architecture

    Building a $22,000 Serverless Backend on AWS Lambda: Lessons from The Silva Way

    9 min read