Implementing authorization code flow

I’m having trouble implementing this flow, I get to the point where I can browse to my authorization URL, sign in, and see that I’m still unauthorized. This is expected, as I still need to pass my authorization code to the token URL. However, once I get here I try:

curl --request POST --url '' --header 'content-type: application/x-www-form-urlencoded' --data grant_type=authorization_code --data 'client_id=CLIENT_ID' --data client_secret=CLIENT_SECRET --data code=DATACODE --data 'redirect_uri='

to test it on a locally running simple server that just returns a string “foo.” I’ve verified the client ID and secret are correct, but I simply see {"error":"invalid_grant","error_description":"Invalid authorization code"} when I try that curl. Possibly also of note is that I cannot add the openid scope to my API. How can I begin to solve this? Is there more verbose output, or something obvious I’m missing?

I have boiled this down to “not an auth0 issue,” but rather a Kong issue.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.