Receiving 401 Unauthorized when calling Management API using Authorization Code Grant Flow

Note: None of the existing 401 Unauthorized threads have been able to solve my issue.

I’m trying to implement the Execute an Authorization Code Grant Flow article on my Nuxt.js application. I’ll explain my situation using the steps of the article:

1. Get the User’s Authorization

I’m able to succesfully implement this step, which let’s me authenticate my user and redirects me to my callback page with a 'code' parameter included. My request to /authorize?.., is using the following parameters:

client_id= CLIENT_ID
redirect_uri= CALLBACK_URL
scope=openid profile email

I’m using the Management API audience, because I want to be able to have access to it when logged in. I also granted my application (Regular web application) full access to it through the Machine to Machine Application tab within the API. (Checked all scopes).

2. Exchange the Authorization Code for an Access Token

Step 2 includes getting an access token using the 'code' parameter my callback received after authenticating my user. This is my Ajax request for it:

method: 'POST',
  url: '',
  headers: {'content-type': 'application/x-www-form-urlencoded'},
  form: {
    grant_type: 'authorization_code',
    client_id: CLIENT_ID,
    client_secret: CLIENT_SECRET,
    redirect_uri: CALLBACK_URL

I’m using the exact data that the code block auto generated for me, but it returns a 401 Unauthorized response. The redirect_uri is exactly the redirect_uri passed earlier to /authorize. I have checked every thread related to this response, but none of them have been a solution to my specific situation.

I really have no clue anymore, could’nt find anything related to 401 within my logs either.

What am I missing?

Hi @acdeux,

Can you take a look at the token and show us an example of what is in it (just exclude sensitive data)? You can use to debug it.

You can also dm it to me if you would like to keep it more private.

Let me know,

@dan.woda I don’t receive the access token because of the 401 Unauthorized error.

But if you mean the code parameter the callback receives, it’s something like QSq_1YtmcDEnspV_.

@dan.woda could this be the issue?

Quoting the following from related to the Authorization Code flow:

Your app must be server-side because during this exchange, you must also pass along your application’s Client Secret, which must always be kept secure, and you will have to store it in your client.

It says the Client Secret must always be secure, but when I check my request to /oauth/token through my browser Element Inspect Tool, I can see my Client Secret in plain text… this is the request I see:

Down at the bottom you can see my Client ID & Secret, which the end user would also be able to see. Could there be something wrong with the request? Which might be the cause of the 401 Unauthorized response I get?

Hi @acdeux,

Of course you don’t have a token, I don’t think I originally read through this thoroughly enough. Apologies.

That is correct, you are using a flow that is designed for a regular web app/web app that authenticates in the backend.

I have seen people successfully add auth with this module, although I don’t know much about it:

There are some concerns here with management API tokens. If you are requesting management API tokens that are being used in the browser, you are exposing those tokens to the user. Since management API tokens are typically scoped globally for your tenant, that means that the user has a token that can do things like read and write your whole user store. Because of that, tokens requested for SPA or front end apps should adhere strictly to requesting certain permissions.

Hi @dan.woda ,

I’m actually using that module already. Would it be helpful if I shared my project in a Github repository? It only contains a simple login button and a dashboard + callback page.

It’s been almost a week without any progress.

Sure, I’ll see if I can get it running.

Thanks @dan.woda. I created a minimal reproduction of my situation which can be found here:

Included the .env on purpose, it might be helpful. Appriciated your help.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Ended up working out the resolution in a DM.