I’m having trouble implementing this flow, I get to the point where I can browse to my authorization URL, sign in, and see that I’m still unauthorized. This is expected, as I still need to pass my authorization code to the token URL. However, once I get here I try:
curl --request POST --url 'https://MYDOMAIN.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data grant_type=authorization_code --data 'client_id=CLIENT_ID' --data client_secret=CLIENT_SECRET --data code=DATACODE --data 'redirect_uri=http://0.0.0.0:8000/api/public'
to test it on a locally running simple server that just returns a string “foo.” I’ve verified the client ID and secret are correct, but I simply see {"error":"invalid_grant","error_description":"Invalid authorization code"}
when I try that curl. Possibly also of note is that I cannot add the openid
scope to my API. How can I begin to solve this? Is there more verbose output, or something obvious I’m missing?