I have a Java application with an Angular 4 front end and I'm trying to implement Open ID Connect authorization with OneLogin. I have the app configured in OneLogin with a redirect URL that is an API endpoint to collect the code generated by OneLogin. Steps 1 - 3 are working as described in the OneLogin documentation, but step 4 fails every time and I cannot figure out why.
Step 1: the user attempts to start a session with your client app and is redirected to the OpenID Provider (OneLogin), passing in the client ID, which is unique for that application. - This works, the user is redirected to a login page hosted by OneLogin.
Step 2: the OpenID Provider authenticates and authorizes the user for a particular application instance. - This works
Step 3: a one-time-use code is passed back to the web server using a predefined Redirect URI. - The URI is an API endpoint on the server and it does successfully get the code from OneLogin
Step 4: the web server passes the code, client ID, and client secret to the OpenID Provider’s token endpoint, and the OpenID Provider validates the code and returns a one-hour access token. - This is where it falls apart for me.
The only response I get back is "grant request is invalid". The HTTP POST that I am constructing for this step looks like this:
curl -XPOST "https://openid-connect.onelogin.com/oidc/token"
-H "Content-Type: application/x-www-form-urlencoded"
-d "grant_type=authorization_code
&code=<code returned in step 3>
&redirect_uri=https%3A%2F%2Flocalhost
&client_id=<My OIDC Client ID>
&client_secret=<My OIDC Client Secret>"
And the response every time is:
{
"error": "invalid_grant",
"error_description": "grant request is invalid"
}
I'm at a complete loss as to what to try next.