I keep on getting an "invalid grant" error, yet for what I can tell I am doing it all as per spec. I can get the tokens just fine:
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=admin,PASSWORD=adminadmin,SECRET_HASH=Ol... --client-id 2pg...
That command gets me this:
Yet when I actually try to use the refresh token, I keep on getting:
An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Invalid Refresh Token.
App client seem to be configured properly. I don't have device tracking setup and the app config seems to allow refresh tokens too:
Similar error when invoking oauth2/token endpoint via Insomina:
Where did I go wrong? Any help is greatly appreciated.
Turned out this behaviour was due to the device tracking being turned on. Not sure it's a bug or a feature, but after turning it off refresh tokens started to work like charm:
Unable to perform any authorized API calls using the Blackberry UEM REST API service. I'm running a trial cloud instance of Blackbery UEM and calls to "ping" and "authorization" works. However, after obtaining the authorization code, using it on any REST calls fails with the error 401 Unauthorized.
The credential used is of an administrator with the "Security Administrator" role which has full permission. I have also tried the above in postman and also the sample PowerShell command, but the results are the same.
Does anyone know what's going on wrong here? Am I missing any configuration? I am going a bit crazy... Thanks.
if you get a 401 error, its almost always an issue with the account/authorization your using.
Since your connecting to the cloud instance of UEM, it ONLY support OAuth authentication. For this to work, you will need an token, not an authorization code. Here is a devblog.blackberry.com entry on the steps: https://devblog.blackberry.com/en/2020/07/new-authentication-option-for-rest-apis-oauth.
Give that a try instead.
I have succesfully used the shared keyrock from filab to let my on web application to authentificate users, using oauth.
When I tried it with a second application, I get an error from FILAB web page: "Bad Request"
The error occurs after the users logs in.
Is there a way to get additional information, what was wrong with the request?
I'm guessing you are using the "authorization code grant" flow defined by the OAuth2 standard and supported by Keyrock. In that scenario, you need to provide three parameters when building the authentication URL:
response_type must be code (or token when using the "implicit grant" flow), otherwise IdM will return an unsupported_response_type error.
If the client_id exists, but the redirect_url doesn't match the one provided when creating the application, then a bad request error will be raised. This error can be raised if the client_id is wrong, if the redirect_url is wrong or if both are wrong. This is your case.
If the client_id app doesn't exist, the IdM will return a 404 error page.
If any of these parameters are missing in the request, the IdM will raise an invalid_request error.
Except for the error 404, Keyrock seems to follow the OAuth2 protocol.
I'm having issues with Google OAuth2 in iOS; I'm getting an "invalid_grant" error. I am doing the following steps:
I created the project and Credential ( iOS app ) Google Console;
I did request the CODE;
I did request the access token (working well);
10 minutes before the expiry of the access token , I do request a refresh token.
The problem is intermittent . Sometimes the request for refresh ( refresh_token ) returns " invalid_grant " and so the access_token becomes invalid and my application just stops .
If forcing the user login to generate a new access_token and refresh_token not work. I have to revoke the permissions of the account and try again.
What I need is access to IMAP and SMTP Gmail . If I check the access_token ( https://www.googleapis.com/oauth2/v1/tokeninfo ) is active and valid , but the IMAP and SMTP denies access.
I'm actually thinking of going back to the login username and password . The service is very unstable for not having the same reaction . I'm sure I'm not bursting any limitations and been the message " invalid_grant " would at least not appropriate.
Please , any employee of Google, HELP ME !
Thank you.
I was facing this problem as well. I wasn't doing anything with IMAP, but I was getting an invalid_grant pretty frequently when trying to handle auth. Eventually I got things working using the following settings:
authentication.refreshToken = savedRefreshToken;
authentication.accessToken = savedAccessToken;
authentication.additionalTokenRequestParameters = #{#"access_type":#"offline"};
I think it was mainly that last one that did the trick. I found it somewhere in the Google documentation, but I didn't save where. Their docs are pretty messy.
I am Creating and Authorizing an OAuth Token according to this webpage: https://code.google.com/p/google-mail-oauth2-tools/wiki/OAuth2DotPyRunThrough
But I got this error: redirect_uri_mismatch.
The redirect URI in the request: urn:ietf:wg:oauth:2.0:oob did not match a registered redirect URI
from_login=1
cookie_policy_enforce=false
scope=https://mail.google.com/
response_type=code
access_type=online
redirect_uri=urn:ietf:wg:oauth:2.0:oob
as=-80019291b2cb8ed
display=page
pli=1
client_id=......
authuser=0
hl=en
I thought this might be helpful: Google OAuth 2 authorization - Error: redirect_uri_mismatch
But when I try to register the redirect url to my console, I was told that the url is invalid.
The redirect_uri (urn:ietf:wg:oauth:2.0:oob) is only applicable to those Google client ids that have been generated for installed applications. You can go to your console and create a new client id of this type.
Just in case if you're using Google+ javascript button (with web application), you have to put postmessage instead of actual URI. It takes me almost whole day to figure out this, because Google docs doesn't clearly stand it for some reason.
For my web application i corrected my mistake by writing
instead of : http://localhost:11472/authorize/
type : http://localhost/authorize/
When you register your app at https://code.google.com/apis/console and
make a Client ID, you get a chance to specify one or more redirect
URIs. The value of the redirect_uri parameter on your auth URI has to
match one of them exactly.
Please note that the 'redirect_uri' value of the Token request need to be the same as the 'redirect_uri' value of the Authorization request.
Lost 4 or 5 hours with this... use 'postmessage' as parameter value, not the real Redirect Uri...
$client->setRedirectUri('postmessage');
For anybody that is still stumped with this problem, you must have the 'Platform' set to 'Native (Windows Mobile, Blackberry, desktop, devices, and more)' when registering your app in the Google Cloud Console, otherwise, it will not let you use 'urn:ietf:wg:oauth:2.0:oob' as the redirect URI.
In my case, instead of creating web app, i just chose Other in:
OAuth Client ID > Other
and thats it.
2015July15 - working signin started causing Error 400 with Error: redirect_uri_mismatch
i posted a solution on a similar SO QUESTION: changed loading script to
<script src="https://apis.google.com/js/client:platform.js?onload=startApp></script>
For my native app, I tried dozens of different things. I finally got it to work by using "redirect_uri=http%3A%2F%2Flocalhost%3A1234" where 1234 is the port number. This has to be identical in the two requests (authorization code and the access token). Notice the use of percent encoding.
I was getting this error, because I was incorrectly following the steps for installed application flow here
https://github.com/googleads/googleads-python-lib/wiki
instead of the server to server flow.
The easiest way is to create the service account.
Create the document using your own account and share it with the service account.
redirect_uri must be an EXACT MATCH on the developers console.
In my case, this was due to a trailing slash( / ).
In the Google Cloud console, I had http://localhost:8080 under the redirect URIs in the list while my code was sending http://localhost:8080/ while making the oAuth call.