Note: None of the existing 401 Unauthorized threads have been able to solve my issue.
I’m trying to implement the Execute an Authorization Code Grant Flow article on my Nuxt.js application. I’ll explain my situation using the steps of the article:
1. Get the User’s Authorization
I’m able to succesfully implement this step, which let’s me authenticate my user and redirects me to my callback page with a 'code' parameter included. My request to /authorize?.., is using the following parameters:
I’m using the Management API audience, because I want to be able to have access to it when logged in. I also granted my application (Regular web application) full access to it through the Machine to Machine Application tab within the API. (Checked all scopes).
2. Exchange the Authorization Code for an Access Token
Step 2 includes getting an access token using the 'code' parameter my callback received after authenticating my user. This is my Ajax request for it:
I’m using the exact data that the code block auto generated for me, but it returns a 401 Unauthorized response. The redirect_uri is exactly the redirect_uri passed earlier to /authorize. I have checked every thread related to this response, but none of them have been a solution to my specific situation.
I really have no clue anymore, could’nt find anything related to 401 within my logs either.
Your app must be server-side because during this exchange, you must also pass along your application’s Client Secret, which must always be kept secure, and you will have to store it in your client.
It says the Client Secret must always be secure, but when I check my request to /oauth/token through my browser Element Inspect Tool, I can see my Client Secret in plain text… this is the request I see:
Down at the bottom you can see my Client ID & Secret, which the end user would also be able to see. Could there be something wrong with the request? Which might be the cause of the 401 Unauthorized response I get?
Of course you don’t have a token, I don’t think I originally read through this thoroughly enough. Apologies.
That is correct, you are using a flow that is designed for a regular web app/web app that authenticates in the backend.
I have seen people successfully add auth with this module, although I don’t know much about it:
There are some concerns here with management API tokens. If you are requesting management API tokens that are being used in the browser, you are exposing those tokens to the user. Since management API tokens are typically scoped globally for your tenant, that means that the user has a token that can do things like read and write your whole user store. Because of that, tokens requested for SPA or front end apps should adhere strictly to requesting certain permissions.
I’m actually using that module already. Would it be helpful if I shared my project in a Github repository? It only contains a simple login button and a dashboard + callback page.
