Solved

Invalid_Client error when trying to get a token


Badge

We use https://[tenant].acumatica.com/identity/connect/authorize to get an authorization code which works fine then we call
https://[tenant].acumatica.com/identity/connect/token
endpoint with below params:
grant_type: authorization_code
client_id: [client id]
client_secret: [client secret]
code: (the value from "code" query parameter from the first request respomse)
redirect_uri: https://[local].ngrok.io/accumatica/access-token

We get a bad request with error message:

{
"error": "invalid_client"
}

What could be the reason?

icon

Best answer by ericyz 26 July 2022, 17:06

View original

12 replies

Userlevel 3
Badge +2

If you have checked the obvious causes like typos in the client_id and secret, and confirm you are following the correct OAuth flow, documented in the Acumatica reference (which I think you already have), the only other thing I have seen is that the connected application has an incorrect flow configured. Check it’s set like this:

 

Badge

I checked for typos, encoded the URL for the @ sign in the client id but still the same result… I made sure I use the Authorization Code flow. Strange thing is /identity/connect/authorize call works with the same client id - /identity/connect/token call gives the client_id error and no matter what I put or dont put in client ID I always get this error

Userlevel 3
Badge +2

Could you share the postman console output of the /identity/connect/authorize call? Just redact the secret but leave the cliend_id and other values please

Badge

here is the authorize request, the redirect URI receives the code - the result body if from our test web app

will paste /identity/connect/token call after this - 

 

Added the authorization code I received from first call

 

Userlevel 3
Badge +2

Your token request should look like this:

Note the values are in the body, Content-Type header is set to “application/x-www-form-urlencoded” and you need to send grant_type, redirect_uri and code (which is the one you got from the authorize call) along with your client_id and secret.

I don’t think it will be easy to get the code the way you are calling the endpoints directly, For the Authorization code flow, you need to actually open the authorize URL in the browser so the user can log in and grant authorization to the client, then Acumatica will call the redirect url with the code as a query parameter:

You can test this flow by configuring postman in its built-in authorization section. Postman handles this directly, opens the URL and then reads the code that is sent to it’s internal redirect URL. It then calls the token endpoint setting the client credentials and the received code.


If you need to get a token without showing a login window to the user, you can use the Resource Owner Password Credentials Flow instead.

That flow returns a token directly as a response to the request, but it’s linked to a user session so you should be careful to logout after you have finished using the API and reuse connections to avoid reaching the instance’s limit.

Badge

We tried all the suggestions but still have the same error. Whether we do it from postman or via code we still get the “invalid_client” error. We are not concerned with the browser redirect and we are ok with it. Just need to get pass this error as we have a ton of work to do for integration

Any other suggestions?

Userlevel 3
Badge +2

What I suggested are the correct and standard authentication flow steps. If you need to use that type of flow I have no other ideas but to troubleshoot each step.

If you share the complete capture of each request and its response (either in this thread or in a direct message) I could take a look and give you some more pointers based on what I see there.

Badge

Thank you Marco, I sent you a private message

Userlevel 7
Badge

Hi @ericyz - were you able to find a solution for your issue? Thank you!

Badge

Yes, Chris. The issue was we need to use the same redirect URI for both authorization code request and token request. Acumatica should work on providing better error messages though. We found the error the hard way

Hi, I’m running into a similar issue when using the Python Requests library. I tried following the steps above, but I’m still running into issues retrieving the Access and Refresh Token. I am able to get this to work with Postman using the same parameters.

 

 

I was able to figure it out. Sharing the correct code for others that might need it. I needed to set the payload dictionary to the data parameter.

 

Reply


About Acumatica ERP system
Acumatica Cloud ERP provides the best business management solution for transforming your company to thrive in the new digital economy. Built on a future-proof platform with open architecture for rapid integrations, scalability, and ease of use, Acumatica delivers unparalleled value to small and midmarket organizations. Connected Business. Delivered.
© 2008 — 2024  Acumatica, Inc. All rights reserved