question

shaqspeare avatar image
shaqspeare asked

401 invalid_client error but code, client ID, and secret are correct

[On behalf of: Infofinity] Hi there. I am using the Authorization Code Grant feature. After Amazon redirects back to my app, I get the "code" query parameter and I call https://api.amazon.com/auth/o2/token. This used to work fine but I just tried it again after some time and now I'm getting a 401 error. Here is the request and response from the Java HTTP library. I have removed some parts that I thought might be bad to put into a public forum, but Amazon support can email me directly and I will provide details. Request: 2014-01-08 18:30:16,494 DEBUG http-apr-8081-exec-2 >> "POST /auth/o2/token HTTP/1.1\r\n" 2014-01-08 18:30:16,499 DEBUG http-apr-8081-exec-2 >> "Authorization: Basic REMOVED FOR PRIVACY==\r\n" 2014-01-08 18:30:16,499 DEBUG http-apr-8081-exec-2 >> "Content-Type: application/x-www-form-urlencoded\r\n" 2014-01-08 18:30:16,499 DEBUG http-apr-8081-exec-2 >> "Content-Length: 272\r\n" 2014-01-08 18:30:16,500 DEBUG http-apr-8081-exec-2 >> "Host: api.amazon.com\r\n" 2014-01-08 18:30:16,501 DEBUG http-apr-8081-exec-2 >> "Connection: Keep-Alive\r\n" 2014-01-08 18:30:16,501 DEBUG http-apr-8081-exec-2 >> "User-Agent: Apache-HttpClient/4.2.5 (java 1.5)\r\n" 2014-01-08 18:30:16,501 DEBUG http-apr-8081-exec-2 >> "\r\n" 2014-01-08 18:30:16,502 DEBUG http-apr-8081-exec-2 >> "redirect_uri=REMOVED FOR PRIVACY&client_id=REMOVED FOR PRIVACY&code=REMOVED FOR PRIVACY&client_secret=REMOVED FOR PRIVACY&grant_type=authorization_code" Response: 2014-01-08 18:30:16,617 DEBUG http-apr-8081-exec-2 << "HTTP/1.1 401 Unauthorized\r\n" 2014-01-08 18:30:16,618 DEBUG http-apr-8081-exec-2 << "Date: Wed, 08 Jan 2014 18:30:16 GMT\r\n" 2014-01-08 18:30:16,618 DEBUG http-apr-8081-exec-2 << "x-amzn-RequestId: eba87152-7892-11e3-ac03-7fbac479a6ba\r\n" 2014-01-08 18:30:16,620 DEBUG http-apr-8081-exec-2 << "x-amzn-ErrorType: OA2InvalidClientException: http://internal.amazon.com/coral/com.amazon.panda/rn" 2014-01-08 18:30:16,620 DEBUG http-apr-8081-exec-2 << "x-amzn-Remapped-WWW-Authenticate: Basic realm=" https://api.amazon.com/auth/o2/token",error="invalid_client", error_description="Client authentication failed"\r\n" 2014-01-08 18:30:16,621 DEBUG http-apr-8081-exec-2 << "Content-Type: application/json\r\n" 2014-01-08 18:30:16,621 DEBUG http-apr-8081-exec-2 << "Content-Length: 77\r\n" 2014-01-08 18:30:16,621 DEBUG http-apr-8081-exec-2 << "Vary: Accept-Encoding,User-Agent\r\n" 2014-01-08 18:30:16,621 DEBUG http-apr-8081-exec-2 << "\r\n" 2014-01-08 18:30:16,622 DEBUG http-apr-8081-exec-2 << "{"error":"invalid_client","error_description":"Client authentication failed"}" Thanks.
login with amazon
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
Hi Infofinity, I checked the logs for your requests and the client_id and client_secret passed in do not match our records for your assigned client_id and client_secret. Can you verify that you're using the client_id and client_secret found on the App Console where you registered your application?
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: Infofinity] Hi Joseph, Thank you for checking. Very interesting. I had double checked but I just triple checked and I don't see any incorrectness. I went to Seller Central, clicked on my application. The Allowed JavaScript Origins and Allowed Return URLs match the domain I'm coming from. Under Web Settings, I took the "Client ID" and I matched it to the client_id in my request. I also clicked Show secret and I matched that to the client_secret in my request. I made sure there's no white space or weird characters at the beginning and end and they match character for character (and in case). Also, as mentioned, this used to work fine. Should I try to regenerate the app or something? Thanks
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
Hi, Could you send a code snippet where you're setting the client_id and secret on the request to lwa-support@amazon.com? You can pull the client_secret out for security purposes.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

shaqspeare avatar image
shaqspeare answered
[On behalf of: Infofinity] User error :-) If you notice in my original posting, I had an Authorization request header for basic auth. This is because our client library was used for some other calls that required basic auth, but this was confusing Amazon. I removed that line and now it works fine. It would be useful if Amazon clarified in the error code if the client_id/client_secret were wrong or if the basic auth was wrong (I'm guessing Amazon is supporting basic auth for this call?) Thanks for your help.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.