我的观点是: 如果使用Google_Client库，不要忘记在更新重定向URI之后更新服务器上的JSON文件。

这个问题的主要原因只会来自chrome和chrome处理WWW和非WWW不同取决于你如何在浏览器中输入你的URL，它从谷歌搜索并直接显示结果，所以发送的重定向URL在不同的情况下是不同的

添加所有可能的组合，你可以找到确切的url从fiddler, 400错误弹出不会给你确切的http和www信息

1.您将看到类似这样的错误

2.然后单击请求详细信息

在此之后，您必须复制该url并将其添加到https://console.cloud.google.com/

访问https://console.cloud.google.com/

点击菜单-> API和服务->凭证

你会看到一个这样的仪表板，点击编辑OAuth客户端 现在在授权Javascript起源和授权重定向url 添加显示错误的url，称为redirect_uri_mismatch，即这里 http://algorithammer.herokuapp.com，所以我在这两个地方都加了 授权Javascript源和授权重定向url 点击保存，等待5分钟，然后尝试再次登录

重定向URI(返回响应的地方)必须在api控制台中注册，错误指示您没有这样做，或者没有正确地这样做。

转到项目的控制台，在API Access下查看。您应该在那里看到您的客户端ID和客户端秘密，以及一个重定向uri列表。如果您想要的URI没有列出，单击编辑设置并将URI添加到列表中。

编辑:(来自下面评价很高的评论)请注意，更新谷歌api控制台和当前的更改可能需要一些时间。通常只有几分钟，但有时似乎更长。

这个答案与Mike的答案和Jeff的答案相同，都在客户端设置redirect_uri为postmessage。我想添加更多关于服务器端的信息，以及适用于此配置的特殊情况。

技术堆栈

后端

Python 3.6 Django 1.11 Django REST Framework 3.9:服务器作为API，不渲染模板，在其他地方没有做太多。 Django REST Framework JWT 1.11 Django REST Social Auth < 2.1

前端

React: 16.8.3, create-react-app版本2.1.5 react-google-login: 5.0.2

“代码”流程(专门用于谷歌OAuth2)

总结:React—>请求社交认证“代码”—>请求jwt令牌，以获得您自己的后端服务器/数据库的“登录”状态。

Frontend (React) uses a "Google sign in button" with responseType="code" to get an authorization code. (it's not token, not access token!) The google sign in button is from react-google-login mentioned above. Click on the button will bring up a popup window for user to select account. After user select one and the window closes, you'll get the code from the button's callback function. Frontend send this to backend server's JWT endpoint. POST request, with { "provider": "google-oauth2", "code": "your retrieved code here", "redirect_uri": "postmessage" } For my Django server I use Django REST Framework JWT + Django REST Social Auth. Django receives the code from frontend, verify it with Google's service (done for you). Once verified, it'll send the JWT (the token) back to frontend. Frontend can now harvest the token and store it somewhere. All of REST_SOCIAL_OAUTH_ABSOLUTE_REDIRECT_URI, REST_SOCIAL_DOMAIN_FROM_ORIGIN and REST_SOCIAL_OAUTH_REDIRECT_URI in Django's settings.py are unnecessary. (They are constants used by Django REST Social Auth) In short, you don't have to setup anything related to redirect url in Django. The "redirect_uri": "postmessage" in React frontend suffice. This makes sense because the social auth work you have to do on your side is all Ajax-style POST request in frontend, not submitting any form whatsoever, so actually no redirection occur by default. That's why the redirect url becomes useless if you're using the code + JWT flow, and the server-side redirect url setting is not taking any effect. The Django REST Social Auth handles account creation. This means it'll check the google account email/last first name, and see if it match any account in database. If not, it'll create one for you, using the exact email & first last name. But, the username will be something like youremailprefix717e248c5b924d60 if your email is youremailprefix@example.com. It appends some random string to make a unique username. This is the default behavior, I believe you can customize it and feel free to dig into their documentation. The frontend stores that token and when it has to perform CRUD to the backend server, especially create/delete/update, if you attach the token in your Authorization header and send request to backend, Django backend will now recognize that as a login, i.e. authenticated user. Of course, if your token expire, you have to refresh it by making another request.

我的天啊，我花了6个多小时终于答对了!我想这是我第一次看到这种post - message的东西。任何使用Django + DRF + JWT + Social Auth + React组合的人都肯定会遇到这种情况。我真不敢相信，除了这里的答案，没有一篇文章提到这个。但是如果你正在使用Django + React堆栈，我真的希望这篇文章可以为你节省大量的时间。

我也得到这个错误error -400: redirect_uri_mismatch

这不是一个服务器或客户端错误，但你只需要检查你没有在结尾添加/(正斜杠)就可以了

重定向URL列表❌:

https://developers.google.com/oauthplayground/

这样做只✅:

https://developers.google.com/oauthplayground