[RESOLVED] 400 Invalid authorization code

I have an auth problem. This is a link I redirect a user to when he clicks auth with twitch button:

url = "https://id.twitch.tv/oauth2/authorize?response_type=code&client_id=qrwctu82red26ek1d320lpr4uqbz9e&redirect_uri=http://clip-maker.com/redirect-from-twitch&scope=user:read:email clips:edit"

When I receive a code on my server I m sending another POST request from my server:

and getting:

  "status" : 400,
  "message" : "Invalid authorization code"

General Issues

url = "https://id.twitch.tv/oauth2/authorize?response_type=code&client_id=qrwctu82red26ek1d320lpr4uqbz9e&redirect_uri=http://clip-maker.com/redirect-from-twitch&scope=user:read:email clips:edit"

should be

url = "https://id.twitch.tv/oauth2/authorize?response_type=code&client_id=qrwctu82red26ek1d320lpr4uqbz9e&redirect_uri=http://clip-maker.com/redirect-from-twitch&scope=user:read:email+clips:edit"

Secondly, consider moving to SSL for security/user happiness on your callback

And to your actual issue

This usually suggests you accidentally used the code twice. And thus the second/final one failed

I can’t see anything wrong given the information/code you have provided.

using ‘+’ instead of ’ '(white space) does not making any difference.

It won’t to your issue it’s just a problem/bad practice I pointed out, on the outbound link. (Sorry should of been more clear)

I believe your code is doing the token exchange Twitch.

oAuth flow is: for “normal oAuth flows”

  1. Redirect/Send the user to Twitch
  2. They either Accept or Decline at Twitch
  3. If they accept they are sent to your callback URL with the code in the query string
  4. You exchange the code for a token.

The most common reason for

Is you

This might occur if you return to your website, do the code for token exchange, then redirect from that page to another page with the code still in the query string and then your code for token exchange login fires again (I’ve done that before myself)

for the code param I’m using the one received from twitch redirect. Example: REMOVED

Code’s should be considered similar to access tokens and not leaked publically. Granted I can’t do much with the code since I’d need your secret. But still it’s not good practice. I have removed it from your post

as a note: this auth was working for me before(so the same code). Now i’ m getting the 400 error

I checked four different login flows I have and cannot replicate the issue.

So something would appear to have changed in your environment somewhere.

I have two applications on the same account which uses the same host(and different path’s) could this be a cause of the issue?

Unlikely that wouldn’t cause a 400, since your applications shouldn’t be sending codes to each other/crosstalking like this

In my test I tested flows on the same server that uses multiple sets of application keys.

Looks like i’m dong everything right, but still getting an error. What else i could do to catch the error?

This error is 99% of the time your side.

Add server side logging to your calls to confirm whats going on. Log all your outbound http requests?

So I don’t know.

The only time I’ve run into it is when my code was doing the exchange twice in error. (Usually because it did the exchange then I’ve hit F5 and it tried to exchange again).

Thanks, I have turned on logging and figured out that i did 2 same requests and the second one faild with 400 code.


Glad it’s fixed!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.