Google OAuth redirect_uri_mismatch Triage

Browser -> Angular -> Oogway redirect endpoint
        -> Google validates redirect_uri
        -> on success returns to Oogway callback
        -> Oogway forwards callback to the correct SpotDraft cluster

Primary router paths:

• Login: app/api/endpoints/proxies/oauth.py
• Signup: app/api/endpoints/proxies/oauth.py
• Trial signup: app/trial/presentation/views.py and app/trial/domain/handle_oauth_trial_signup_use_case.py

Two Distinct Failure Modes

1. Malformed redirect URI generated by Oogway

This is the higher-probability failure mode when the incident follows an oogway rollout.

What happens:

• settings.OAUTH_REDIRECT_BASE_URL is a HttpUrl
• A code path concatenates that base URL with a path segment using raw string operations
• Trailing-slash normalization or inconsistent leading/trailing slashes produce malformed URLs such as:
  • https://api.spotdraft.com//api/v1/sd_auth/oauth/callback
  • https://{router_host}//router/v1/trial/signup/oauth/callback

Most important evidence:

• The exact redirect_uri shown on Google's error page is malformed
• The affected environment is missing the permanent join_url() fix or a recent rollout reintroduced raw concatenation

2. Valid callback URL not registered in Google Cloud Console

This is less common and should only be assumed when the URI shown on the Google error page is already syntactically correct.

What happens:

• Oogway sends a single-slash callback URL for the affected environment
• Google rejects it because that exact domain/path pair is not registered on the OAuth client

Most important evidence:

• The redirect_uri shown on the Google page is correct-looking and single-slash
• There is no recent oogway rollout that could explain malformed joins
• Adding or correcting the authorized redirect URI resolves the issue without a code deploy

Important Rule

redirect_uri_mismatch by itself does not prove a Google Console misconfiguration.

The 2026-03-26 Chargebee QA incident (SPD-42842) was initially diagnosed as a missing Google callback registration, but it was ultimately fixed by rolling out oogway PR #131, the same code-level URL-joining fix that addressed the 2026-03-20 production outage (SPD-42603).

Step-by-Step Investigation

1. Capture the Exact Failing redirect_uri

Ask support or QA for the Google error screenshot or the full failing URL.

Check:

1. Is the error from Google, not SpotDraft?
2. Does the redirect_uri contain // after the host?
3. Is the domain correct for the affected environment?
4. Is the failing path login, signup, or trial signup?

This step is the fastest way to separate malformed joins from genuine callback-registration gaps.

2. Determine Blast Radius by Environment

Check whether the issue affects:

• All Google logins in one environment
• Only QA or dev after a missed cherry-pick
• Production after a recent oogway rollout

Do not over-index on "single customer reported it." The March 26 QA incident looked customer-specific at first, but support could reproduce it internally and the eventual fix was environment-wide.

3. Check Whether the join_url Fix Is Present in the Affected Environment

The permanent fix was merged in SpotDraft/oogway PR #131 with merge commit:

• f01f1c033acdfcff0a14f7f799e93f28345bebc1

PR #131 introduced:

• app/core/url_utils.py
• join_url(base, *path_segments)

And replaced raw URL concatenation in:

• app/api/endpoints/proxies/oauth.py
• app/trial/presentation/views.py
• app/trial/domain/handle_oauth_trial_signup_use_case.py
• app/core/sd_api_client.py
• app/oauth/oidc_provider/domain/use_cases/get_oidc_config_use_case.py
• app/oauth/external/presentation/views.py
• HubSpot and SFDC redirect builders

If the affected environment does not have this fix, prioritize deployment or cherry-pick over Google Console changes.

4. Inspect the Code Paths

Pre-fix broken pattern:

redirect_uri = f"{settings.OAUTH_REDIRECT_BASE_URL}/{path}"

Merged fix:

def join_url(base: str, *path_segments: str) -> str:
    result = base.rstrip("/")
    for segment in path_segments:
        if not segment:
            continue
        seg = segment.lstrip("/")
        if seg:
            result = f"{result}/{seg}"
    return result

Router OAuth now uses:

def _router_oauth_redirect_uri(router_callback_path: str) -> str:
    assert settings.OAUTH_REDIRECT_BASE_URL is not None
    return join_url(str(settings.OAUTH_REDIRECT_BASE_URL), router_callback_path)

Important operational detail:

• The merged fix did not change OAUTH_REDIRECT_BASE_URL from HttpUrl to str
• The shipped solution normalized URL joining instead of relying on config-type changes

5. Check Logs, but Treat the Browser Error as the Highest-Signal Artifact

Google rejects the malformed URI before a successful callback reaches SpotDraft, so logs are useful for correlation but often not decisive on their own.

GCP Cloud Logging - Prod oogway:

logName="projects/spotdraft-prod/logs/stderr"
labels."k8s-pod/app"="sd-apps-oogway"
jsonPayload.message:("oauth" OR "redirect" OR "callback")
timestamp >= "{incident_start_time}"

GCP Cloud Logging - QA oogway:

resource.type="k8s_container"
labels."k8s-pod/app"="spotdraft-qa-oogway"
textPayload:("oauth" OR "redirect" OR "callback")
timestamp >= "{incident_start_time}"

Groundcover example for QA EU:

• Environment: qa
• Cluster: qa-eu
• Namespace: qa
• Workload: spotdraft-qa-oogway

Useful correlation only:

• recent request spikes to OAuth redirect endpoints
• absence of successful callback handling after login attempts
• rollout timing versus first failure report

6. Classify the Incident

Immediate Mitigation

If the URI is malformed

1. If the outage is active and started after a recent oogway rollout, revert the rollout or revert the offending argo-manifests change.
2. Deploy or cherry-pick PR #131 (or an equivalent join_url patch) to the affected environment.
3. Verify first in dev if possible, then in QA / prod.
4. Re-test:
   • Google login
   • Google signup
   • Trial OAuth signup

Historical reference:

• 2026-03-20 prod outage was mitigated by reverting argo-manifests commit 6fa8925a87de822ff84d6ea0e8044e356b313875
• 2026-03-26 QA outage was resolved after PR #131 was merged, verified in dev, then cherry-picked to QA

If the URI is valid but unregistered

Add the exact affected environment callbacks in Google Cloud Console:

• {oauth_redirect_base_url}/api/v1/sd_auth/oauth/callback
• {oauth_redirect_base_url}/api/v1/sd_auth/oauth/signup/callback
• For trial flow, if applicable:
  • {oauth_redirect_base_url}/{api_v1_prefix}/trial/signup/oauth/callback

No deploy is required for this path, but verify whether the environment uses a shared or dedicated Google OAuth client before making the change.

Permanent Fix and Regression Surface

PR #131 normalized URL building across more than just Google login. If you deploy the full patch, regression-test:

• Router OAuth login/signup redirects and callbacks
• Trial OAuth signup flow
• OIDC discovery document URLs
• HubSpot / SFDC redirect flows
• Cluster forwarding URLs built by app/core/sd_api_client.py

Tests added or updated in the merged fix:

• app/tests/core/test_url_utils.py
• app/tests/api/proxies/test_oauth_proxy.py
• app/tests/trial/domain/test_handle_oauth_trial_signup_use_case.py
• app/tests/trial/presentation/test_trial_signup_views.py
• plus related external OAuth / OIDC / CRM tests

Verification Checklist

• Google error page no longer shows malformed or mismatched callback URL
• Login flow works end-to-end in the affected environment
• Signup flow works
• Trial OAuth signup works if relevant
• If there was an emergency Google Console workaround, remove any stale malformed callback entries after the code fix is live

Related Incidents / Jira

• SPD-42603 - 2026-03-20 production Google login outage. Global impact. Root signal was double slash in redirect_uri. Short-term mitigation was revert; long-term fix was PR #131.
• SPD-42842 - 2026-03-26 Chargebee QA login failure on WSID 8243, cluster EU, env QA. Initially looked like a QA callback-registration issue, but final fix was the same join_url rollout, verified in dev and then QA on 2026-03-30.

Related Skills

• incident-lookup - if the symptom is ambiguous and you need to search for prior Slack/Jira incidents first
• infrastructure-alert-response - if the login incident coincides with pod restarts, latency spikes, or other infra symptoms instead of a clean Google OAuth rejection