question

shaqspeare avatar image
shaqspeare asked

Request an Access Token

[On behalf of: Lurey Solutions]

Hi Amazon

I'm trying to trade an authorization code for an access token.

The application backend is posting to: https://api.amazon.com/auth/o2/token with the following x-www-form-urlencoded parameters: code (received via prior redirect/callback) grant_type ('authorization_code') client_id / client_secret (as per the application created)

However, I get 'invalid_request', ''The request is missing a required parameter : redirect_uri" every-time. I've read your developer guide for web (https://images-na.ssl-images-amazon.com/images/G/01/lwa/dev/docs/website-developer-guide.TTH.pdf) at least half a dozen times and nowhere does it refence that /o2/token requires a redirect_uri parameter (and anything I try to pass to it still fails). Am I using an outdated version of the SDK/Documentation, or is there something simple I'm overlooking here?

alexa voice servicelogin with amazon
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: OmniAuth Amzn T] Yes, you also need to supply the redirect_uri. You can use the same URI you used for the auth code generation.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: Lurey Solutions] But it doesn't actually redirect to the redirect_uri (this is a non-JavaScript client), so I guess I'm just missing why this is required. I'll go ahead and try it later this evening.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
Hi, Thank you for bringing this to our attention. We are working on updating the documentation with the correct set of required parameters. The redirect_uri is required to protect users from a specific attack where an attacker has gained control of a particular redirect URI belonging to the developer. You can find details of the attack here: http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-10.6
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
We've discovered an issue with the authorization code grant which prevents you from using it with the JavaScript SDK. We are working on a fix and will provide an update when it's available. In the meantime, you can integrate with Login with Amazon using the implicit grant, or switch to generating the request to http://www.amazon.com/ap/oa without the JavaScript SDK. You can find details on how to use this endpoint in the Website Developer Guide.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: Treck] I have the same problem, when trying to fetch an access token from an authorization code, that was build with JavaScript SDK previously and than send to php backend doing the request to https://api.amazon.com/auth/o2/token. redirect_uri seems unnecessary in this context.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: ObjectiveFS] I see the same error when I don't provide the 'redirect_uri' parameter: error: "invalid_request", error_description: "The request is missing a required parameter : redirect_uri" But, if I add the 'redirect_uri' parameter the result is: error: "invalid_grant", error_description: "The request has an invalid grant parameter : redirect_uri"
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: ObjectiveFS] It is now working when providing a redirect_uri. Thanks for fixing it so quickly.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
I'm glad it's working for you now. We updated the /auth/o2/token endpoint to make redirect_uri required, unless you used the SDK for JavaScript to obtain an authorization code. If you use the SDK for JavaScript to obtain an authorization code, you do not have to send a redirect_uri with your request to obtain an access token. The Website Developer Guide has been updated to reflect this change.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: codeflow] Hi there, I nearly have the same problem but I get the "invalid_grant" error with the following description: "The request has an invalid grant parameter : code". I'm using the Authorization Code Grant method described in this document: https://images-na.ssl-images-amazon.com/images/G/01/lwa/dev/docs/website-developer-guide.TTH.pdf On page 20 it says "To request an access token, the client makes a secure HTTP POST to https://www.amazon.com/auth/o2/token with the following parameters:". But I think the HTTP Post should go to https://api.amazon.com/auth/o2/token, right? When I try to send the HTTP Post to https://www.amazon.com/auth/o2/token I always get this XML error: When I try to send the HTTP post to https://api.amazon.com/auth/o2/token instead using Content-Type: application/x-www-form-urlencoded and the following post elements: grant_type (authorization_code) code (received via prior redirect/callback) client_id / client_secret (as per the application created) redirect_uri I alway get the above mentioned error: "The request has an invalid grant parameter: code" Any ideas on how to solve this? I'm using PHP to request for the token. Thanks in advance and greetings to you Amazon guys :-)
2 comments
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

+1 need help!. {"error_description":"The request has an invalid grant parameter : code","error":"invalid_grant"}

Details:

CLIENT_ID="amzn1.application-oa2-client.91da7f47bc5d4188a...." CLIENT_SECRET="4870b05df2c9a78a9fa9c4cae...."

CODE="AN...."

GRANT_TYPE="authorization_code"

REDIRECT_URI="http://localhost:9745/authresponse"

curl -X POST --data "grant_type=${GRANT_TYPE}&code=${CODE}&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}&redirect_uri=${REDIRECT_URI}" https://api.amazon.com/auth/o2/token

0 Likes 0 ·
Levon@Amazon avatar image Levon@Amazon ♦ 604b8af3-307c-40c9-95d9-bd44c8631c43 ·

Please create a new thread, clearly describing what you were trying to do, with what technologies, snippet of code, exact error / logs, and we will investigate. Thanks!

0 Likes 0 ·
shaqspeare avatar image
shaqspeare answered
Greetings! Thanks for pointing out the typo in the Website Developer Guide. We've fixed the typo and the new PDF should be uploaded soon. You're right - the correct endpoint is on api.amazon.com. As for the error, the most likely cause of invalid_grant errors related to the authorization code is that the code has already been used in a past request. The gotcha here is that this includes requests which resulted in some error. According to our logs, you have also run into invalid_grant errors related to the redirect_uri. After you fix any bugs, you would need to start the OAuth process again and generate a new authorization code to send to the Amazon endpoint. Also please ensure that you are sending the same redirect_uri used to obtain the authorization code in the first place. I hope this sheds enough light on the potential cause of the error. Let me know if you still run into invalid_grant (for code) after generating a new authorization code.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.