invalid_grant snippets

OAuth2 errors

Tagged invalid_grant, invalid_request, error, oauth2  Languages bash

OAuth2 errors

The list of OAuth2 errors can be found from the RFC: https://www.rfc-editor.org/rfc/rfc6749#section-5.2

 invalid_request
       The request is missing a required parameter, includes an
       unsupported parameter value (other than grant type),
       repeats a parameter, includes multiple credentials,
       utilizes more than one mechanism for authenticating the
       client, or is otherwise malformed.

 invalid_client
       Client authentication failed (e.g., unknown client, no
       client authentication included, or unsupported
       authentication method).  The authorization server MAY
       return an HTTP 401 (Unauthorized) status code to indicate
       which HTTP authentication schemes are supported.  If the
       client attempted to authenticate via the "Authorization"
       request header field, the authorization server MUST
       respond with an HTTP 401 (Unauthorized) status code and
       include the "WWW-Authenticate" response header field
       matching the authentication scheme used by the client.

 invalid_grant
       The provided authorization grant (e.g., authorization
       code, resource owner credentials) or refresh token is
       invalid, expired, revoked, does not match the redirection
       URI used in the authorization request, or was issued to
       another client.

 unauthorized_client
       The authenticated client is not authorized to use this
       authorization grant type.

 unsupported_grant_type
       The authorization grant type is not supported by the
       authorization server.

Solutions

How to fix "invalid_grant" thrown by the Rails doorkeeper gem

Tagged doorkeeper, invalid_grant, oauth2  Languages bash, ruby

The doorkeeper gem is throwing invalid_grant in your face and you don’t know why. Fixing it will be easier if we add some debug statements to the doorkeeper gem.

To find the relevant code, we run this from the CLI:

bundle exec gem which doorkeeper

This gives us the location of the doorkeeper code.

By reading or running grep on the doorkeeper code we can see that the code that raises the invalid_grant error is one of these lines in Doorkeeper::OAuth::AuthorizationCodeRequest:

  validate :grant,        error: :invalid_grant
  # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
  validate :redirect_uri, error: :invalid_grant
  validate :code_verifier, error: :invalid_grant

For details, see: https://github.com/doorkeeper-gem/doorkeeper/blob/bfc132f58455052db7b0c7f936fb72ffd033130d/lib/doorkeeper/oauth/authorization_code_request.rb#L8-L11

Add a debugger statement (binding.pry) to each validation method in gems/doorkeeper-5.5.4/lib/doorkeeper/oauth/authorization_code_request.rb:


    78: def validate_redirect_uri
    79:   binding.pry
 => 80:   Helpers::URIChecker.valid_for_authorization?(
    81:     redirect_uri,
    82:     grant.redirect_uri,
    83:   )
    84: end

The debugger will stop when we try to authenticate again, and we find out that the problem in this case is an extra query parameters in the redirect_uri:

[1] pry(#<Doorkeeper::OAuth::AuthorizationCodeRequest>)> redirect_uri
=> "http://localhost:3000/app/oauth_session?source=password"
[2] pry(#<Doorkeeper::OAuth::AuthorizationCodeRequest>)> grant.redirect_uri
=> "http://localhost:3000/app/oauth_session?xxx=yyy&source=password"

By reading the OAuth specification we find that parameters are not allowed:

The solution is to remove any extra parameters, in this case xxx, from the client application’s redirect URI.