Fetching OAuth access token returns 400 "invalid_grant"

[stevereinvented]

Title: Fetching OAuth access token returns 400 "invalid_grant"

Issue found of: October 16th, 2024

Endpoint(s):

POST secure.soundcloud.com/oauth/token

Scope(s):

Application uses authorization_code workflow for authentication

Steps to reproduce:

After authorizing via https://secure.soundcloud.com/authorize with params:

client_id=[redacted]
redirect_uri=[http:// URL]
response_type=code
code_challenge=[code challenge]
code_challenge_method=S256
state=[random]

…attempt to obtain an Access Token from https://secure.soundcloud.com/oauth/token with:

code=[code received from authorize]
client_id=[redacted]
client_secret=[redacted]
redirect_uri=[http:// URL]
grant_type='authorization_code'
code_verifier=[base 64 string used to create the code_challenge]

Expected behaviour:

The Access Token is returned as per https://developers.soundcloud.com/docs/api/guide#auth-code

Actual behaviour:

400 {"error":"invalid_grant"}

This had been working until last week (the issue was noticed on Oct 16), and there have been no changes on our our side.

If it's of any relevance, the redirect URL registered is http:// not https:// and that is what is passed, but the site is HTTPS now.

[youssefhassan]

Hey @stevereinvented, the redirect Uri is most probably the reason of this error, can you please share your username and app name so I can update the redirect uri for the application?

[stevereinvented]

Thanks for getting back so quickly, and sorry for the delay my side.

The username is freshnet and the app is "Fresh On The Net Moderator".

[stevereinvented]

@youssefhassan is there an update on this? Still seeing the same error, and the URL still appears unchanged as beginning with http:// in https://soundcloud.com/you/apps. Thanks.

[youssefhassan]

Invalid grant can happen when using a wrong code verifier/code challenge pair
I use this one for validating, make sure to press Calculate Hash as it's not generated automatically