400 bad request from token API

Lew Burrus

I am trying to understand the 400 'Bad Request' error from the token request of the Authorization code flow tutorial. Others have asked before though I'm not interested in creating a headless/unattended app - I'd rather have users create their own authorizations when needed.

The response has an error of "invalid_client" and error_description of "The specified credentials were not valid."

Here is a sanitized copy of the message:

{Method: POST, RequestUri: 'https://oauth2.sky.blackbaud.com/token', Version: 1.1, Content: System.Net.Http.FormUrlEncodedContent, Headers:
{
Authorization: Basic ZTxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQ4
Content-Type: application/x-www-form-urlencoded
Content-Length: 212
}}

and the content, before encoded, contains the four required fields when using PKCE:

{[grant_type, authorization_code]}
{[code, 8fxxxxxxxxxxxxxxxxxxxxxxxxxxxxc0]}
{[redirect_uri, http://localhost/handler.ashx]}
{[code_verifier, tAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxpI]}

Questions:

• When passing the PKCE for authorization rest, it's SHA256 encrypted, Base 64 encoded string. Got it. For this token request, the value is called “code_verifier” and described in the tutorial as "high-entropy cryptographic random STRING using the unreserved characters ….. with a minimum length of 43 characters and a maximum length of 128 characters" -- does that mean it should NOT be encrypted or encoded, but the just the original randomly generated string? I get the 400 error either way, but thought it worth clarifying.
• How can I tell which part of the client is invalid? If the credentials were not valid, can I narrow the problem down to the authorization code in the header, or could the response error refer to other parts of the request, like encoding/etc?
• Has anyone successfully used ASP.NET 4.5-4.8 to create an httpclient request for the auth token, and could offer any advice on how to debug this error?

Daniel Leonard

@Lew Burrus It's possible the credentials are truncated or incorrect.

This error indicates that we were unable to retrieve and verify your application's credentials (application ID and secret) from either the Authorization header or the request body. To resolve this, ensure that you are providing the correct application credentials as either base64-encoded values within the Authorization header (preferred), or as form-url-encoded values client_id and client_secret in the request body.

Note: When specifying credentials using the Authorization header, the value must have the format: Basic <base64 encoded Application ID:Application secret>. Make sure to include a space after the "Basic" prefix.

After you register an application, the credentials are displayed in the Application Credentials column of the My Applications) page. Application ID is the unique identifier for your application, and should be specified as the client_id parameter value. Use the Application Secret as the client_secret parameter value.

For more information, see step 4 of Authorization Code Flow documentation.

Variations of this error condition can take the following forms:

• "The required credentials were not supplied."
• "The required client_id parameter was not provided."
• "The specified credentials were not valid."
• "The value specified for the client_id parameter 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX' was not valid."

Ensure that the application's credentials were properly specified as either base64-encoded values within the Authorization header (preferred), or as form-url-encoded values client_id and client_secret in the request body.

Daniel Leonard

@Lew Burrus
Questions:

• When passing the PKCE for authorization rest, it's SHA256 encrypted, Base 64 encoded string. Got it. For this token request, the value is called “code_verifier” and described in the tutorial as "high-entropy cryptographic random STRING using the unreserved characters ….. with a minimum length of 43 characters and a maximum length of 128 characters" -- does that mean it should NOT be encrypted or encoded, but the just the original randomly generated string? I get the 400 error either way, but thought it worth clarifying.
  • It should be the unencrypted code verifier that would be POST'd as part of the request body. The request body would have a content type of `application/x-www-form-urlencoded`
• How can I tell which part of the client is invalid? If the credentials were not valid, can I narrow the problem down to the authorization code in the header, or could the response error refer to other parts of the request, like encoding/etc?
  • It is likely a truncated or incorrect Authorization header
• Has anyone successfully used ASP.NET 4.5-4.8 to create an httpclient request for the auth token, and could offer any advice on how to debug this error?
  • You would need a try catch around the http request to exchange the authorization code. You should be able to add a breakpoint in the catch block and see the values of the Exception.

Lew Burrus

@Daniel Leonard
So, keep banging my head against the tutorial until it works. Will do.

Daniel Leonard

@Lew Burrus Sorry you are struggling with authorization. I know it can be complicated and frustrating. I am glad to try and help.

Are you still getting the same error?

Have you tried passing the `client_id` in the body of the form instead of in the Authorization header of the authorization HTTP request?

Are you able to share the code where you are having an issue?