Auth0 Home Blog Docs

Custom OAuth returns Invalid authorization code

I am VERY new to Auth0 (like one week). We are having a great deal of fun setting this up, but I have hit a glitch I can’t seem to get past. We have a custom vendor (MinistryPlatform) that is our main OAuth server, but it only serves the users it knows about and we’re looking at Auth0 to be the “login above the logins”.

I have MinistryPlatform set up as a custom social connector and it seems to be logging in fine. If I look at the logs on the dashboard, I can see successful logins. Right now I am just passing back a dummy profile to get the flow correct. But, when I test the connector through the “Try” button, I consistently get a code return of

  "statusCode": 403,
  "data": "{\"error\":\"invalid_grant\",\"error_description\":\"Invalid authorization code\"}"
}

The logs show successful login but a failed exchange of “Invalid Authorization Code” for “All Applications”, so it appears to my untrained eye to be outside of the login to the source system. The dummy user is indeed created and shown as login, so I know something is working. I just can’t seem to grasp what I may have set up wrong. I can provide any and all information, but I would love some assistance if anyone has seen anything like this.

Much appreciated for anyone’s time.

1 Like

I have run some more testing. I DO get a successful login, but the authorization exchange shows a failure as type “feacft”. Whenever I see that on the support forums, it has to deal with a “Native” client, but this is not a native client. Our main client is M2M (for the time being). I did try creating a native application and enabling it just to see if that would work and it did not. I received the same error. I was wondering if I need to create the “All Applications” client as an OAuth client in the source system, but I cannot find the client secret for “All Applications”. I did create the “All Applications” client in the source system as an OAuth client, but I tried it without a client secret and that did not seem to work either.

I will continue to post here as I find out more information.

I have the exact same problem. Moreover, in my case I also have access to the OAuth2 server logs and I can see in there there Auth0 successfully does a call to exchange the code for a token, than successfully requests user information and than it does NOT try to exchange the code again (which would rightfully produce the invalid code error), but for some reason the invalid code error is shown…

Hi @doug.shontz,

Thank you for posting in Auth0 Community!

Are you still getting this error? If so, can you please answer the following questions?

FYI the code received is one time use only. Are you receiving this after logging in?

  • How are you fetching the authorization code?

  • If this is through the login flow, can you please send me a HAR file in a private message? Please be sure to remove any sensitive data such a client secrets and passwords before sending the file.

I will try to put together a test case in the next few workdays. When I didn’t hear back for a number of weeks, I figured the idea was stale and worked somewhat around it. I WOULD like to go back to this approach because, in my mind, this was always a better concept. I will escalate this with my manager to get it back on my plate.

Thanks!
Doug

@doug.shontz I apologize for the huge delay!

I’m happy to assist and hope to hear back from you soon.