Score:0

401 error when trying to retrieve OAuth access token

in flag

I'm trying to configure simple_oauth to use with local Lando install of a Drupal 9 site with decoupled React frontend.

I followed the instructions at https://drupalize.me/tutorial/install-and-configure-simple-oauth?p=3003 and generated the necessary RSA keys in the terminal:

$ openssl genrsa -out private.key 2048
$ openssl rsa -in private.key -pubout -out public.key

...placing the keys into /drupal_root/key, and specifying their paths at /admin/config/people/simple_oauth. I opened both files in Gedit and they look standard

Simple OAuth key paths defined

Then I created a new 'OAUTH' role, giving it permissions to add, edit and delete content.

'OAUTH' role permissions (*"Article: edit" also enabled below, not pictured)

I created a consumer, enabled the 'OAUTH' role, saved the configuration and copied its secret and UUID.

New consumer for the app

Then I followed the instructions at https://drupalize.me/tutorial/make-api-requests-oauth?p=3253 to make a POST request using Postman. The only difference is that instead of their request to http://localhost:8888/oauth/token, I sent it to my Lando url http://react1.lndo.site/oauth/token

POST request headers

POST request body

I've checked the request headers and body key:values carefully (ensuring client_id, client_secret, username and password are correct), but I keep getting 401 responses that say "invalid_client", "Client authentication failed"

Then I tried making the request with cURL and got the same error response:

$ curl -F 'grant_type=password' -F 'client_id=b7958f62-df63-4b95-9a55-20954178d788' -F 'client_secret=react2' -F 'username=oauthuser' -F 'password=password' -F 'scope=oauth' -X POST http://react1.lndo.site/oauth/token

{"error":"invalid_client","error_description":"Client authentication failed","message":"Client authentication failed"}

I also tried making the request via cURL using a different format and got a different error message:

$ curl -d '{"grant_type":"password", "client_id":"b7958f62-df63-4b95-9a55-20954178d788", "client_secret":"react2", "username":"oauthuser", "password":"password", "scope":"oauth"}' -H "Content-Type: application/x-www-form-urlencoded" -X POST http://react1.lndo.site/oauth/token

{"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.","hint":"Check the configuration to see if the grant is enabled.","message":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}

What am I missing here?

Score:0
br flag
  1. On postman try to remove the accept\content-type headers, for this request the defaults should be okay

  2. When saving the oauth client, be sure that Chrome client don't autofill the "User" field with wrong data. The user field should be empty. Obliviously, check also that the password you're using is correct.

  3. Check if the permission of the key are correct. I don't remember the right permission set, but for test you could set them as 777 and in the db log should appear a message suggesting the right ones.

  4. The scope "oauth" is valid? I mean, is it a valid role for your site?

enter image description here

raresample avatar
in flag
Thanks for your reply Giuseppe. In short, nothing helped. In detail: 1. Tried that, same error 2. I'm using Firefox. User field confirmed empty. Confirmed client secret and user password. Same error. 3. Gave the keys all permissions. Same error. 4. Yes, 'OAUTH' is a role I created as part of the linked tutorial. Removed that header and tried request again, same error.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.