question

Vikram Bansal avatar image
Vikram Bansal asked

Getting malformed request with authorization code grant

My URL looks like this https://api.amazon.com/auth/o2/token?grant_type=authorization_code&code=ANafda..&client_id=amzn1.application-oa2-client.fafda....client_secret=ca3838ald...

I am constructing parameters and sending request like this:

httpRequest.onreadystatechange = receivedResponse;
var grantType = 'grant_type=authorization_code';
var code = '&code=' + encodeURIComponent(responsecode);
var clientIDparam = '&client_id=' + encodeURIComponent(clientId);
//var redirectURI = '&redirect_uri=http://localhost:8000'
var clientSecret = '&client_secret=' + encodeURIComponent('afda...');
var requestURI = 'https://api.amazon.com/auth/o2/token?' + grantType + code + clientIDparam + clientSecret;

httpRequest.open('POST', requestURI, false);
httpRequest.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
// httpRequest.setRequestHeader("Access-Control-Allow-Origin", "*");
httpRequest.send(); 

My request always fails with the following response:

{"error_description":"Malformed request","error":"invalid_request"}

HTTP 400

Not sure what is wrong. Could anyone help?

Thanks,

Vikram

web apps
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Levon@Amazon avatar image
Levon@Amazon answered

Hi there,

Thanks for posting! There is not enough info to help you. What are you trying to do? What kind of app is this? What technologies, SDKs, APIs are you using? Describe your use case in more details. Thanks!

10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Shivam Gupta avatar image
Shivam Gupta answered

hey Levon@Amazon! I am facing somewhat same issue here.

take reference : https://developer.amazon.com/docs/login-with-amazon/authorization-code-grant.html

I am in the process to use the Skill Management API. I have successfully generated the "Authorization Code" from the user with proper scopes, using the web client javascript SDK. But in order to generate the access_token from that "auth code", i am passing my "auth code" to my backend local server "localhost:3000" and using below code to get the accessToken.

My backend is written in NodeJs.

var data = `grant_type=authorization_code&code=${auth_code}&client_id=${client_id}&client_secret=${client_secret}`
      var requestParams = {
        uri: 'https://api.amazon.com/auth/o2/token?' + data,
        method: 'POST',
        headers: {
          'Content-Type': ' application/x-www-form-urlencoded;charset=utf-8'
        }
      }
      request(requestParams, function(err, resp, json) {
        console.log(err)
        console.log(resp)
        console.log(json)
        cb(null)
      })

and i am getting the response : 
{"error_description":"Malformed request","error":"invalid_request"}

as you can see from my "https://sellercentral.amazon.com/gp/homepage.html" portal, i am not using any "redirect_uri".

Please help!


sketch1.png (28.5 KiB)
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Levon@Amazon avatar image
Levon@Amazon answered
3 comments
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

What worked for me is to remove the URL parameters and replace them with form data in the body. Now I can get the access token. I should also add that this should probably be included in the documentation.

2 Likes 2 ·

can you post your request code? I'm having the same problem..

0 Likes 0 ·

None of the links you provides contain a real solution to the problem stated. 1- This person used a POST. 2- This is a Web app, not iOS or Android, so the code_verifier is not needed. 3- The redirect_uri is not needed either because it's Javascript 4- The body is empty so the Content-Length must be zero 5- Headers seem good

I'm getting the same issue and I checked all these things as well. I also looked at other postings on this forum. This error message is super cryptic and we can't look at the log files. I'm very frustrated by this.

1 Like 1 ·