Problem getting token with authorization_code grant type

Okay, read the oauth2 doc, and apparently redirect_uri must be added to the token request. It would be great if the plugin author could update the knowledge base article here with this info:

https://wp-oauth.com/kb/using-authorization-code/

Thank you

Hi @chamois_blanc

Thanks for the input. Just for any future references, the redirect_uri is optional if there is a redirect uri assigned for the client in the settings. This is how OAuth 2.0 is a designed and specified. The term for this process is “Dynamic Configuration”

You can find more details by checking out https://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-3.1.2.3. OAuth 2.0 is complicated so if you have any questions please let me know.

I have taken note of the situation and will investigate where I can improve the documentation to ensure you and future developers have an easier path ??

Hi Justin,

You are saying that if I do not provide a request_uri in the authorization request, the server will use the one associated with the client ID, and then I won’t have to provide it again when asking for the token. Okay I think that makes sense.

Thank you for the explanation!

After successfully getting the access token, I am not able to successfully make a WP REST API get request. I always get 401 unauthorized errors.

I am adding the access token to the Authorization header as ‘Bearer <access_token>’.

I have the ‘Application Passwords’ plugin installed and I am able to make REST API accesses with it (it uses an access token with ‘Basic <access_token>’ authorization).

Is there more I am supposed to do?

I should mention that my server is in development stage and running on localhost. Would using https instead of http make a difference? I guess I will try this next.

Tried https and no difference. I am not providing a scope, so I am getting ‘basic’. Should I be providing a different scope?

Okay turns out it was an .htaccess problem. I had to add the rewrite rule:

RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Okay last question: I am surprised the server does not create its own authorization page. Am I supposed to create it? do you have a template for it?

Thank you

A custom authorization page is something that we were going to add (and still plan to add) but we found that an “auto authorize” approach was simpler for most people. Due to the lack of demand for the authorization page we never moved forward with the feature.

With this said, I have added it to our tracking system for a future release.

Thank you for the response. My oauth2 servers have an authorization page for UX reasons. I think it’s great to tell users what they are authorizing. It’s also confusing to see a redirect with a blank page, so it would be great if the authorization page had something on it, even when authorization does not need to be granted again (because the user is already logged in and has authorized previously).

Yet another question: do you have an example of a token refresh request?

Thank you for your prompt responses, very much appreciated ??

I am trying to follow this knowledge base article: https://wp-oauth.com/kb/using-the-refresh-token/

But I get the following error (using Postman):

{
  "error": "invalid_grant",
  "error_description": "The authorization code has expired"
}

I have just gotten the access token, so there is no way the refresh token could have expired.

Now getting the following error (when using Postman):

{
  "error": "invalid_request",
  "error_description": "The grant type was not specified in the request"
}

Okay I see I put the parameters in the query, instead of body. My bad.

If I put the fields in the POST request body, I get this error now:

{
  "error": "unsupported_grant_type",
  "error_description": "Grant type \"refresh_token\" not supported"
}

If I need to purchase the pro version to get refresh token to work, then I am fine with that, but you should advertise as such. Right now, the plugin page says the following:

SUPPORTED GRANT TYPES

Authentication Code
NOTE: WP OAuth Server Pro Supports all grant types including:

Auth Code
Client Credentials
User Credentials
Implicit Flow
OpenID Code
OpenID Implicit

There is no mention of refresh token at all. Please advise.

We will be sure to include refresh token grant type to the readme with the next release. Thank you for making the suggestion to better the plugin.