Jira incoming OAuth2 invalid redirect_uri

"Base URL Configuration: Since you've adjusted the base URL of your Jira site, double-check that the Redirect URI reflects this change accurately. Any discrepancy between the base URL and the Redirect URI can cause issues."

This suggests that the redirect url has the same base as the JIra server url!?
My redirect url is in the dev.azure.com domain. How can I perform authorization code to access token handling when the redirect is to Jira!?

I think it has to do with the spaces in my url.
When I replace the spaces with '+' it works (Jira login and consent) up until navigating to my redirect_url.

Problem is I cannot find any combination that seems to work. Url encode, not url encode, encode twice. It all fails. I can also not enter spaces in the redirect url field in the application link. I have to escape my spaces there (%20)... :-(

If there was only a way to discover what is expected.

I also got Postman to work with its own callback url.

URL Encoding for Spaces: Use %20 to encode spaces in URLs. This encoding applies both to the Redirect URI in your code and the one configured in Jira's application link settings.

Exact Match Requirement: Ensure the encoded Redirect URI in your OAuth2 authorization request matches exactly with the one in Jira, including the encoding of spaces as %20.

Incremental Testing: Start with a simple Redirect URI without spaces and verify it works. Then, introduce encoded spaces (%20) to identify at which point issues arise.

Yeah - that is exactly what I did.

Introducing the encoded spaces (%20) seems to make it fail.

Redirect URI Configuration/Mismatch: I have tried different urls in an effort to discover what would be considered (in)valid and copied-pasted between the Jira Application Link and the url I report in the code. I have tried with and without url encoding.  I currently work with only one environment (local).

IFrame: I use the devops client sdk to navigate at top level, outside of the IFrame. I have tried, in-place navigate, new tab and popup. This does not affect the result for the redirect_url. Navigating inside the IFrame gives a browser warning-page I do not want my users to see ;-). 

Cross Origin: Do I need to configure allowed sites in the Jira server? Where can I do that?

Logs: Where can I find these logs?

Https/SSL: I found an article that states that the Jira server itself has to run Https/SSL in order for OAuth2 to work (makes sense). I am now trying to find out how to configure my docker image to use SSL (never done that before). Let me know if this is dead end or I could be on to something?

Redirect URI Configuration/Mismatch: Ensure the Redirect URI in your Jira Application Link exactly matches the one in your code, including the scheme, domain, port, and path. URL encoding should be correct when initiating OAuth2 flows.

IFrame Navigation: Use the DevOps client SDK for top-level navigation to avoid cross-origin issues and browser warnings associated with IFrames.

Cross-Origin Requests: For CORS policy, manually configure allowed sites in Jira Server or Data Center settings or refer to Atlassian documentation for Jira Cloud.

Logs: Find logs in the log directory of your Jira application home, typically atlassian-jira.log for application logs.

Https/SSL Requirement: HTTPS is mandatory for OAuth2 security. Configure SSL for your local Docker environment by generating a self-signed SSL certificate, mounting it in the Docker container, and configuring the web server to use HTTPS. Alternatively, use a reverse proxy for SSL termination.

Moving Forward: Transition your local development to use HTTPS to align with OAuth2 security requirements and ensure all parts of your pipeline are configured for HTTPS.

I have SSL configured using ngrok and the Jira site works again over https.
I did have to edit the server.xml a bit and set a new base url for the jira site. Seems fine now.

I noticed that when I specify a redirect_uri that is the jira site itself, the redirect is taken. So that leads me to belief that it probably has to do with the CORS policy.

I have added the devops domain to the allow-list but now I get an unauthorized (401) on calling the /authorize url...?

We're not there yet.

Even with the AllowList turned off (allow all) it doesn't work...

That Authorized-error was a quirk - we're back to the original error: "Invalid 'redirect_uri' URL parameter provided" (412)

The "Invalid 'redirect_uri' URL parameter provided" error typically means there's a mismatch between the Redirect URI in your OAuth2 request and what's registered in Jira. Here's a condensed action plan:

Exact Match: Ensure the Redirect URI in your request matches exactly with what's registered in Jira, including protocol, domain, path, and trailing slashes.

Check Base URL: After adjusting Jira's base URL, make sure the Redirect URI reflects these changes accurately.

ngrok URL Stability: If using ngrok's free tier, remember the URL changes with each restart. Update the Redirect URI in Jira accordingly, or consider a stable solution.

Review OAuth2 Configuration: Double-check your OAuth2 app settings in Jira, ensuring the Redirect URI(s) are correctly configured.

Test Manually: Use tools like Postman to manually test the OAuth2 authorization request, isolating the issue from your development environment.

Adjust your OAuth2 configuration as needed, ensuring consistency between your request and Jira's settings.

If it helps you in any way, don't forget to like the replies, it helps me. Thank you very much and I hope this works for you