The error "This site can’t be reached – 127.0.0.1 refused to connect" when redirected to

<https://127.0.0.1:4446/callback>

typically means that nothing is listening on port 4446 on your local machine. In the OAuth2 Authorization Code flow with Ory Hydra, the redirect URI (

/callback

) must point to a web server or client application that is actively running and able to receive the callback from Hydra. Based on the Ory Hydra documentation, after the login and consent flows, Hydra redirects to the

redirect_uri

you registered for your OAuth2 client. If you haven't started a local web server on port 4446 to handle this callback, you'll get a connection refused error. The documentation provides an example of starting such a server using the Ory CLI or Docker:

bash docker run --rm -it \   --network hydraguide \   -p 9010:9010 \   oryd/hydra:v1.10.6 \   token user --skip-tls-verify \     --port 9010 \     --auth-url <https://localhost:5444/oauth2/auth> \     --token-url <https://ory-hydra-example--hydra:4444/oauth2/token> \     --client-id facebook-photo-backup \     --client-secret some-secret \     --scope openid,offline,photos.read

This command starts a local server on port 9010, and the redirect URI should match this port (e.g., `http://127.0.0.1:9010/callback`). If your client is registered with

<https://127.0.0.1:4446/callback>

, you must ensure a server is running and listening on port 4446 to handle the callback. Otherwise, you'll see the connection refused error you described. To resolve this: - Make sure your OAuth2 client is registered with a redirect URI that matches the port and protocol of your running client/server. - Start a local server on the port specified in your redirect URI before initiating the OAuth2 flow. For more details and examples, see the Ory Hydra documentation on performing the OAuth2 flow and troubleshooting redirect URIs [here](https://www.ory.sh/docs/hydra/self-hosted/configure-deploy/#perform-oauth-20-flow) and [here](https://www.ory.sh/docs/hydra/faq/). If you need to test the flow, you can use the Ory CLI or the provided Docker examples to start a local server that will handle the callback as shown above. Make sure the port in your redirect URI and the port your server is listening on are the same, and that the server is running before you start the OAuth2 flow.

The error message: > oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). passwords do not match" indicates that the client authentication at the

/oauth2/token

endpoint failed. This can happen for several reasons, as documented in the Ory Hydra troubleshooting guides: 1. Client Secret Mismatch: The client secret you are using does not match the one registered for the OAuth2 client. Double-check that you are using the correct client ID and client secret. If you recently updated or recreated the client, ensure you are using the latest secret. 2. Wrong Authentication Method: By default, Ory Hydra expects client credentials to be sent using HTTP Basic Authorization (

client_secret_basic

). If your client is configured for a different method (e.g.,

client_secret_post

), you must use the correct method. You can check and set the allowed method in your client configuration. If you try to use the wrong method, authentication will fail. You can verify the method with:

ory get oauth2-client {client.id}

and look for the

token_endpoint_auth_method

field. If you need to change it, use the CLI with the

--token-endpoint-auth-method

flag [Client auth fails because Wrong token_endpoint_auth_method](https://www.ory.sh/docs/hydra/debug/token-endpoint-auth-method/). 3. Unknown Client: The client ID you are using might not exist in the system. Make sure the client is registered and the ID is correct. 4. Password Length or Format Issues: There have been reports that after upgrading Hydra or migrating databases, clients with long or specially formatted secrets (e.g., with hyphens or underscores) may fail to authenticate until the secret is reset or updated. If you encounter this after an upgrade, try resetting the client secret to the same value or a new one [Unexpected bug authenticating a valid client](https://github.com/ory/hydra/issues/3581). Summary of steps to resolve: - Verify the client ID and secret are correct and match what is registered. - Ensure you are using the correct authentication method (

client_secret_basic

or

client_secret_post

) as configured for your client. - If you recently upgraded Hydra or migrated your database, try resetting the client secret. - Make sure the client exists in the system. If you continue to have issues, check the Hydra logs for more detailed error messages, as sometimes the error can be due to subtle misconfigurations [Gitlab Hydra integration troubleshooting](https://www.ory.sh/docs/hydra/self-hosted/gitlab/#troubleshooting).

If your

client_secret

is empty, there are a few important points from the Ory Hydra documentation and related sources: - When you create an OAuth2 client using the administrative API or CLI, the

client_secret

is only returned once in the response. After that, it is stored in a hashed format and cannot be retrieved again. If you lose the secret, you must reset it or create a new client [Hydra API Reference – createOAuth2Client](https://www.ory.sh/docs/hydra/reference/api) [Hydra API Reference – getOAuth2Client](https://www.ory.sh/docs/hydra/reference/api). - If you fetch a client using the API (e.g.,

GET /admin/clients/{id}

), the

client_secret

field will be empty for security reasons. This is by design. - If you need a new secret, you must update the client and set a new

client_secret

using the appropriate API endpoint or CLI command. The new secret will be echoed in the response, but again, only at that time. - Example from the docs: > The secret will be included in the create request as cleartext, and then never again. The secret is kept in hashed format and is not recoverable once lost [Hydra API Reference – getOAuth2Client](https://www.ory.sh/docs/hydra/reference/api). In summary: If your

client_secret

is empty when retrieving a client, this is expected behavior. You must set a new secret if you need one, as it cannot be recovered after creation.

The

client_secret

is a confidential credential issued to OAuth2 clients (applications) when they are registered with the authorization server. Its main purpose is to authenticate the client application to the authorization server during OAuth2 flows, ensuring that only authorized applications can request tokens or access protected resources. - The

client_secret

is used together with the

client_id

to prove the identity of the client. For example, in the Client Credentials or Authorization Code flows, the client includes the

client_id

and

client_secret

when requesting an access token. - The

client_secret

must be kept confidential and should not be exposed in public code or distributed to untrusted parties. - The method by which the client authenticates (using the

client_secret

) can vary, such as

client_secret_basic

(sent in the HTTP Authorization header) or

client_secret_post

(sent in the request body) [OAuth2 fundamentals: Client ID and secret](https://www.ory.sh/docs/oauth2-oidc/overview/oauth2-concepts/#creating-oauth2-clients). > The client ID is considered public information and can be included in JavaScript source code or used to build login URLs. The client secret, however, must be kept confidential and is used to authenticate the client to the authorization server [OAuth2 fundamentals: Client ID and secret](https://www.ory.sh/docs/oauth2-oidc/overview/oauth2-concepts/#creating-oauth2-clients). In summary, the

client_secret

is a key security mechanism in OAuth2, ensuring that only trusted applications can interact with the authorization server on behalf of users or themselves.

You may get errors regarding

client_secret

when redirected back to the callback URL because, after the user is redirected to the callback, your application typically exchanges the received authorization code for tokens at the

/oauth2/token

endpoint. During this exchange, the client must authenticate itself using its

client_id

and

client_secret

. Common reasons for

client_secret

errors at this stage include: - Incorrect or missing client_secret: If the

client_secret

is missing, incorrect, or does not match what was registered, the token endpoint will return an error such as

invalid_client

or "passwords do not match" [Client auth fails because Wrong token_endpoint_auth_method](https://www.ory.sh/docs/hydra/debug/token-endpoint-auth-method/). - Wrong authentication method: If your client is configured to use a specific authentication method (e.g.,

client_secret_basic

or

client_secret_post

), but your application uses a different method, authentication will fail. By default, Ory Hydra expects

client_secret_basic

 [Client auth fails because Wrong token_endpoint_auth_method](https://www.ory.sh/docs/hydra/debug/token-endpoint-auth-method/). - Empty client_secret: If you retrieve the client configuration and see an empty

client_secret

, this is expected for security reasons. The secret is only shown once at creation. If you lose it, you must reset it [Hydra API Reference – getOAuth2Client](https://www.ory.sh/docs/hydra/reference/api). - Unknown client: If the

client_id

does not exist or is incorrect, you will also get a

client_secret

-related error [Hydra API Reference – getOAuth2Client](https://www.ory.sh/docs/hydra/reference/api). In summary, these errors occur because the token exchange step requires correct client authentication, and any mismatch or misconfiguration will result in an error at this point in the OAuth2 flow.