Oauth2.0 - encoded URL values option is ignored

1. My goal: Test OAuth 2.0 Authorization Code Grant
2. Issue: redirect_uri parameter is being encoded, despite checking “Disable URL encoding”
3. Steps I've taken to troubleshoot:
4. Additional info: Cloud

The callback URL is used as the redirect_uri parameter, however the OAuth 2.0 service I am using requires all redirect_uri values to not be encoded.

image1398×646 97.1 KB

When navigating to the authorization page for the service, the parameter is encoded:

So I change the Advanced options, and save the resource:

image1060×230 23.7 KB

I try again. The parameter remains encoded:

Hoping someone can identify if this setting is being used or ignored when building the redirect URL query parameters.

Thank you!

Hi @hansontools,

Interesting issue.

Just to clarify, what Auth service are you using that requires redirect_uri values to not be encoded?

I was doing some research and every major OAuth provider (Google, Okta, Azure AD, Auth0, GitHub, etc.) expects this.

If a service truly rejects encoded query parameters, it is not OAuth-compliant.

For the checkbox under Advanced Options that checkbox does not mean “send raw characters in the URL” — because that is not possible in a valid HTTP query string.

What it actually controls is:

Whether Retool double-encodes the redirect URI

Example

Correct (single-encoded):

redirect_uri=https%3A%2F%2Foauth.retool.com%2Foauth%2Fuser%2Foauthcallback

Broken (double-encoded):

redirect_uri=https%253A%252F%252Foauth.retool.com%252Foauth%252Fuser%252Foauthcallback

The checkbox prevents double encoding, not encoding entirely.

If you can give me more details on the OAuth provider and what they expect I can help further, but any resource Auth options using OAuth 2.0 will have to encode the redirect_uri value

Hi Jack,

it was Quickbooks (Intuit), so a pretty big player in the online accounting world.

While I acknowledge it’s not strictly correct, I wonder whether Retool or Intuit will be more flexible in addressing it…

Hi @hansontools,

Thank you for letting me know! We definitely want to support users setting up OAuth for Intuit resources.

Let me investigate this further and see what their API wants and what should be done on the Retool side to get this working smoothly.

I know other users have set up OAuth with Intuit so I am curious why the redirect URL query params are not behaving for you

Hi @hansontools,

After doing some more digging it seems that the checkbox for "Disable URL encoding" is for custom values being added, such as query params, and won't impact the redirect URI.

Are you getting an error message when testing the Resource/OAuth? The most important factor should be matching the redirect URI that you put into Retool's Auth as well as on the Intuit side. There shouldn't be any need to encode or unencode the base redirect uri.

Hey Jack,

I think this was the cause:

image1836×1426 149 KB

The “Share credentials between users” checkbox changes the callback URL, but because the checkbox is visually disconnected from the callback text input by distance, by brain didn’t pickup the subtle change.

image1500×552 86.1 KB

Perhaps moving that checkbox, or calling out the change, would be a nice visual aid.

Thank you for sharing that @hansontools!

That is great feedback and I definitely agree, those two should be closer together and the visual difference could definitely use some type of highlight or visual cue to let users know how the URL is changing.

I will share that feedback with our engineering team.