Server returns 403 during Authorization Code Flow

osrs_airport · July 10, 2016, 8:02pm

I really can’t figure out what I am doing wrong… I followed the ‘guide on Github’ and came up with

  	String urlParameters =
  			  "client_id=" + URLEncoder.encode(clientid, "UTF-8")
  			+ "&client_secret=" + URLEncoder.encode(secret, "UTF-8")
  			+ "&grant_type=authorization_code&redirect_uri=" + URLEncoder.encode("http://localhost:8000/token", "UTF-8")
  			+ "&code=" + URLEncoder.encode(token, "UTF-8")
  			+ "&state=" + URLEncoder.encode(uuid.replace("-", ""), "UTF-8");
                                [...]
                     	InputStreamReader in = new InputStreamReader(conn.getInputStream());

And I am getting a

java.io.IOException: Server returned HTTP response code: 403 for URL: https://api.twitch.tv/kraken/oauth2/token

at line

InputStreamReader in = new InputStreamReader(conn.getInputStream());

I have dubble checked my Secret / Client-ID etc, can’t spot a mistake in my Code.
Still I can not get it working…
Any ideas?

tournymasterbotCurse · July 11, 2016, 3:10am

A 403 typically indicates a bad username/password [or in this case, client id + client secret] (a 403 is a forbidden error code).

Client ID and Client Secret don’t typically need a url encoder, but as it doesn’t contain special characters, that should be a no-op.

&client_secret=[your client secret]
&grant_type=authorization_code
&redirect_uri=[your registered redirect URI]
&code=[code received from redirect URI]
&state=[your provided unique token]```

I'd have to check my implementation, but I'm not sure if token should be url encoded.

Otherwise it looks good, with a general disclaimer that I don't typically work in java.

Provided your redirect url in your application is pointing at 'http://localhost:8000/token' that should be ok - but generally redirecting from an https endpoint (twitch auth) to an http endpoint (your local server) is a no-no, but shouldn't be deal breaking.

DallasNChains · July 11, 2016, 3:56am

Have you tried a HttpsUrlConnection object instead of just Http?

osrs_airport · July 11, 2016, 6:52am

I am allready using one! see this line
conn = (HttpURLConnection) url.openConnection();

osrs_airport · July 11, 2016, 6:58am

I have dubble checked my client-ID and client-Secret, they were correct… I’ve resettet my Secret and it worked, weird, but oh well! Thank you anyways

DallasNChains · July 11, 2016, 12:07pm

Glad you figured it out! My suggestion was to use HttpsUrlConnection instead of HttpUrlConnection. Note the extra S.

osrs_airport · July 11, 2016, 7:32pm

Oh yeah, I forgot to put down a s on every single one of them replaced, thanks!

Topic		Replies	Views
OIDC Authorization - Bad Request - PHP API	3	1710	March 13, 2018
Getting authorization_code via https://api.twitch.tv/api/oauth2/token? stopped working without making any code changes API	7	1677	February 13, 2019
400 : Missing client secret - OAuth authorization code flow API	3	564	May 12, 2021
.NET Authentication and Authroization API	3	6143	October 2, 2015
{ status: 400, message: 'Invalid authorization code' } API	9	621	February 18, 2023

Server returns 403 during Authorization Code Flow

Related topics