Miro oauth api throws error 401 Invalid authorization code


Badge

I want to get an Miro access token programmatically in my application and for that I am following all the steps mentioned in document https://developers.miro.com/docs/getting-started-with-oauth - Getting started with OAuth 2.0 and Miro. While performing step no.3, i.e. exchanging an authorization code for an access token, I constantly get 401 - oauthError - Invalid authorization code: auth_code received in step no.2.


22 replies

Userlevel 5

Hi @Ankush Kulkarni ,

 

Odd that you’re running into this, hopefully we can figure out what is going on! 

Are you able to share with me any code snippets or samples that you are using? Or are you trying to run these commands from a terminal? 

Additionally, can you verify you have the correct clientID, clientSecret, and redirectURI filled in in your app’s settings (https://miro.com/app/settings/user-profile/apps)? 

 

Badge

I have the correct clientID, clientSecret, and redirectURI filled in in your app’s settings .

Below is the HTML code - 

<button mat-flat-button color="accent" (click)="generateAuthLink()">Click to generate Miro authorization request link</button>
<label></label>

 

Userlevel 5

Hi @Ankush Kulkarni 

I’m not able to fully debug what is happening with the code snippet sent - are you able to share a full project?

Badge

@Addison Schultz 

I have no option to send a zip file and code attachment is not working either. It failed multiple times to attach typescript code.

Badge

Angular component and service code - https://codeshare.io/AdJOYe

It gives 401 in getAccessToken method call of service hence not able to get access token to call Miro APIs.

Userlevel 5

Thanks for sharing the code - 
 

Can you help me debug something else? The code variable you have declared/used in the getAccessToken call - What does this evaluate to? 

Can you log this somewhere and let me know?

Badge

Hi @Addison Schultz 

getAccessToken function in service gets called from getAccessToken in miro test component’s getAccessToken method and it passes OAuth 2.0 authorization code received from miro api after user installs and authorizes - https://miro.com/oauth/authorize?response_type=code &client_id={your_client_id} &redirect_uri={your_redirect_uri}

 

Badge

@Addison Schultz I am also facing a similar issue. The API’s keep throwing this error everytime I call the endpoint for getting access token using the refresh token stored in the backend. And for some reason the refresh_token keeps updating with every API call for getting the access token (the refresh_token should not change until 60 days are up right?)

{
  "status": 401,
  "code": "oauthError",
  "message": "Invalid refresh token: <refresh_token>",
  "type": "error"
}

Userlevel 5

@Ankush Kulkarni @HarshitaVishwakarma One thing that may be happening, is that you’re regenerating the access and refresh tokens an unnecessary time, making the ones you’re trying to use invalid. 

If you regenerate the access token, you’re also regenerating the refresh token as well

Badge

Hi @Addison Schultz I understand what you said about the refresh token regenerating, Let’s say I store the access_token as well in the backend and update it after it is expired in 60 minutes. When I call the API endpoint to update the access_token using the refresh token, it will again return this response:

{
  "token_type": "bearer",
  "team_id": 3074457358607431700,
  "access_token": "<access_token>",
  "refresh_token": "<refresh_token>",
  "scope": "boards:write boards:read identity:read",
  "expires_in": 3599
}

So are you saying when I do this the refresh_token won’t update as opposed to calling the API everytime for getting the access_token ? as it is supposed to stay the same for 60 days. 

Userlevel 5

So, every time you request a new access token you receive a new access_token and refresh_token pair. 

The refresh token is indeed valid for much longer than the access token it’s paired with, but if you request a new access token, the refresh token will also be updated/changed, and the old one will become invalid

Badge

Okay I get it, then what is the point of mentioning in the docs that the refresh_token does not expire until 60 days are up? is there another context that this feature can be used in?

Userlevel 5

Yes - The token is valid for 60 days, in cases where the access token is not regenerated, you have a window of 60 days to use this refresh token to get a new access_token

This can be done without needing the user to “sign back in” 

In cases where they are expired after 60 days, the signin/auth process will need to be initiated again

Badge

Okay I think I get it now. Thank you for clarifying this.

Badge

@Addison Schultz 

I was not able to get access token even a single time after exchanging authorization code step.

Userlevel 5

@Ankush Kulkarni Are you running into the 401 error every time? I would advise you to try the calls you’re making manually using the returned/generated parameters to make sure that they are working as expected first, I’ve not had issues running through the OAuth setup again, so there might be something in the app you’ve built that is causing incomplete/undefined values to be passed (giving you the 401 error you’re experiencing) 

Badge

Hi @Addison Schultz 

I faced another issue with the refresh_token, So my colleague who had not used the App for 2 days just opened the app and got the same error: 

{
  "status": 401,
  "code": "oauthError",
  "message": "Invalid refresh token: <refresh_token>",
  "type": "error"
}

So we had to do some changes in the backend, to enable the authorization procedure to start again so we have a new access_token-refresh_token pair. Seemed like the refresh_token expired just after a few hours.  

Userlevel 5

@HarshitaVishwakarma Did you maybe expire the refresh token yourself? How are you setting/passing it to the Refresh token endpoint? 

Can you log the value to make sure it’s passing it in correctly?

Badge

@Addison Schultz  Yes I have logged the value and it is being passed correctly to the API call. So we set/store the refresh token in the backend for the first time when the user installs and authorizes the app. From then on for every API call to Miro, we fetch the access token by calling this endpoint and update the same at the backend so we always have the updated/new refresh token from every request. But for some reason when the App was opened after 2 days the refresh token didn’t work and we had to re-install and re-authorize the app which involved some changes in the back-end.

Userlevel 2
Badge

@HarshitaVishwakarma -- By any chance, did you generate an access token from the Developer Portal for that same user on that same app during those two days? _Any_ time a new access token is generated, a new refresh token will also be generated. It doesn’t matter whether that was done programmatically in your backend code, or manually in the Developer Portal.

Badge

@Addison Schultz 

I am running into 401 continuously.

I called those API calls manually i.e. calling ‘https://api.miro.com/v1/oauth/token ?grant_type=authorization_code’ api in step 3 passing all correct parameters including the returned AUTHORIZATION_CODE from step 2 in the Miro document. PFA.

 

Userlevel 5
Badge +1

Hi @Ankush Kulkarni,

 

Have you taken a look at our written guide and our YouTube video? This might help you understand the authorization works and how to implement it.

Reply