Authorization Code Flow not working

Hi There,

I am following the sample from your documentation:

And I have written some php to try your api, but I get getting when this error:
Array (
[0] => HTTP/1.1 401 Unauthorized
[1] => Date: Sat, 14 Dec 2019 16:19:11 GMT
[2] => Content-Type: application/json
[3] => Content-Length: 60
[4] => Connection: close
[5] => Server: nginx
[6] => ot-tracer-spanid: 40b925f6584e936d
[7] => ot-tracer-traceid: 7419bad82eca482e
[8] => ot-tracer-sampled: true
[9] => X-Auth0-RequestId: 1f9d84bfd38bbfef38ed
[10] => Set-Cookie: did=s%3Av0%3A765cd9c0-1e8d-11ea-9bd4-b1a33e1e9813.yVhv%2FAnEOrSeERsQHfHlxVaNBFWa4Xpe4%2BzvsYHt434; Max-Age=157788000; Path=/; Expires=Fri, 13 Dec 2024 22:19:11 GMT; HttpOnly; Secure; SameSite=None
[11] => Set-Cookie: did_compat=s%3Av0%3A765cd9c0-1e8d-11ea-9bd4-b1a33e1e9813.yVhv%2FAnEOrSeERsQHfHlxVaNBFWa4Xpe4%2BzvsYHt434; Max-Age=157788000; Path=/; Expires=Fri, 13 Dec 2024 22:19:11 GMT; HttpOnly; Secure
[12] => X-RateLimit-Limit: 30 [13] => X-RateLimit-Remaining: 29 [14] => X-RateLimit-Reset: 1576340352 [15] => cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
)

when I do a post to oauth/token.

My code:

<?php

// https://auth0.com/docs/flows/guides/auth-code/add-login-auth-code

function run() {
	$redirectUrl='http://localhost:8080/login.php';
	$clientId = 'from settings';
	$clientSecret = 'from settings';

// Authorize the User
	$url="https://bronsted.eu.auth0.com/authorize?".
		"response_type=code&".
		"client_id=$clientId&".
		"redirect_uri=$redirectUrl&".
		"scope=open	id%20profile&".
		"state=xyzABC123";

	if (isset($_REQUEST['error'])) {
		die($_REQUEST['error']);
	}
	else if (isset($_REQUEST['code'])) {
		$accessToken = $_REQUEST['code'];
		$token = getToken($accessToken, $redirectUrl, $clientId, $clientSecret);
		print_r($token);
	}
	else {
		header('Location: '.$url);
	}
}

function getToken($accessToken, $redirectUrl, $clientId, $clientSecret) {
	$postdata = http_build_query(
		array(
			'grant_type' => 'authorization_code',
			'code' => $accessToken,
			'client_id' => $clientId, // $dic->config->auth0_clientId
			'client_secret' => $clientSecret, //$dic->config->auth0_clientSecret
			'redirect_uri' => $redirectUrl,
		)
	);

	$opts = array('http' =>
		array (
			'method' => 'POST',
			'header' => 'Content-type: application/xwww-form-urlencoded',
			'content' => $postdata
		)
	);

	$context  = stream_context_create($opts);

	$url = 'https://bronsted.eu.auth0.com/oauth/token';
	$http_response_header = [];
	$result = @file_get_contents($url, false, $context);
	if ($result === false) {
		print_r($http_response_header);
		throw new RuntimeException('Get content failed');
	}
	return $result;
}

run();
2 Likes

Hi @sorenbronsted
The 401 response would indicate that the authentication information is incorrect (wrong client ID or secret). Can you double-check the client secret in the configuration, or alternatively try the flow using Postman or cURL?

If it helps, GitHub - auth0/auth0-PHP: PHP SDK for Auth0 Authentication and Management APIs. is the PHP SDK, and the code to do the code exchange is here. Here’s a quickstart that uses the SDK: Auth0 PHP SDK Quickstarts: Login. Even with these available, I like your approach of trying the authorization code flow manually at least to understand how things work. In a production setting, though, you will want to generate a random state and check it on the authentication response to prevent CSRF login attacks.

1 Like

I found the error. Misspell content-type ‘xwww-…’, should be ‘x-www…’

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.