Unauthorized errors when trying to hit the admin or storefront

When I try to access the admin console or storefronts I get "unauthorized" errors in the browser . 

Looking at the auth container logs may reveal the following exception:

org.springframework.security.oauth2.common.exceptions.RedirectMismatchException: Invalid redirect: https://admin.mydomain.com/silent-callback.html does not match one of the registered values.

This error indicates the the Auth Service is not configured with the appropriate redirect URIs for the requested client application. There are a couple verification checks that you can do to validate the correct configuration.

Option 1: Verify Authorized Client Details in the Admin

If you have access to the admin console, you can verify authorized client details at the Tenant level by going to Security > Authorization Servers > <My Domain> Authorization Server > Authorized Clients Tab > Authorized Client. From here you should be able to verify and manage any valid redirect URIs for this client.

  Option 2: Verify Redirect URIs in the Database

If you do not have access to the admin, you can also run the following query directly against the database:

select * from auth.blc_client_redirect_uris

and verify that you have the following correctly defined:

admin, https://admin.<mydomain.com>
admin, https://admin.<mydomain.com>/callback
admin, https://admin.<mydomain.com>/silent-callback.html
heatclinic, https://heatclinic.<mydomain.com>/silent-callback.html
heatclinic, https://heatclinic.<mydomain.com>/callback 
heatclinic. https://heatclinic.<mydomain.com>
etc..
These records are created using the Auth Data Initializers when you pass in the following ENV variables to the auth container:
BROADLEAF_AUTH_DATA_LOAD_BASEADMINHOST
BROADLEAF_AUTH_DATA_LOAD_BASEAPPLICATIONHOST

^ NOTE that if the data in the databases was loaded with a previous domain (e.g. "qa.com" etc...)  at some point in the past and never dropped, the initializers will not update any existing records... so it may still be using the old seed data.