Check the "grant_type" parameter

9
votes

I am using OAuth 2.0 for authorization according to this documentation :(https://developers.vendhq.com/documentation/oauth.html#oauth) and having this error:

"error": "invalid_request", "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Check the \"grant_type\" parameter."

Request

Method : POST

Content-Type: application/x-www-form-urlencoded

URL : https://{domain_prefix}.vendhq.com/api/1.0/token

Parameters :

code          = {code}

client_id     = {app_id}

client_secret = {app_secret}

grant_type    = authorization_code

redirect_uri  = {redirect_uri}
2
oauth-2.0

2 Answers

10
votes

As per the RFC6749, section 4.1.3, the encoded body of a POST request should look like code={code}&client_id={app_id}&client_secret={app_secret}&grant_type=authorization_code&redirect_uri={redirect_uri}.

Example:

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&client_id=CLIENT_ID_1234&client_secret=CLIENT_SECRET

Do not forget to encode the redirect Uri: http://foo.bar/ => http%3A%2F%2Ffoo.bar%2F

Concerning the authentication error, it may be because the authorization server do not support client secret in post request (or your client is not allowed to use it). Then try to add the Authorization header with basic authentication scheme. The value of this header is Basic {ENCODED_AUTHENTICATION} with {ENCODED_AUTHENTICATION} =base64(client_id + ':' + client_secret)

With this header, the client_id and client_secret in the post request have to be removed. Your request parameters become code={code}&grant_type=authorization_code&redirect_uri={redirect_uri}.

4
votes

You will need to check the URL to which you are attempting to send your POST to. The service that you are attempting to contact does not exist or is currently unavailable.