"Invalid_grant" response when use Twinfield Openid Oauth connect

Question

This is the library which I used https://github.com/php-twinfield/

It's an issue when I call the Oauth login. I have completed almost APIs with username and password but client wants it with Oauth. I think there is a problem in redirectUri. When I called Oauth it always show:

{
    "success": false,
    "error": "invalid_grant"
}

This is my credential. Clientid and clientsecret is obtained from mail and the redirect uri set from Openid Twinfield link. Please correct me if there is anything wrong in credential.

clientId : Demorent
clientSecret : /iY7gyWn3Hkdgs4XzUG66SDyPNkk177x3A==
redirectUri : https://www.oauth.client.redirect.uri.com

The code which are used:

public function login(\Illuminate\Http\Request $request)
{
    try {
        // In the $request param all the credential given
        $provider    = new \PhpTwinfield\Secure\Provider\OAuthProvider([
            'clientId'     => $request->clientId,
            'clientSecret' => $request->clientSecret,
            'redirectUri'  => $request->redirectUri
        ]);
        // Here pass the authorization code 
        $accessToken  = $provider->getAccessToken("authorization_code", ["code" =>'NLA000067']);
        $refreshToken = $accessToken->getRefreshToken();
        $office       = \PhpTwinfield\Office::fromCode("1008");
        $connection  = new \PhpTwinfield\Secure\OpenIdConnectAuthentication($provider, $refreshToken, $office);
        $customerApiConnector = new \PhpTwinfield\ApiConnectors\CustomerApiConnector($connection);
        $result = $customerApiConnector->get('1008',$office);
        $jsonResponse = JsonResponse::success($result);

    } catch(SoapFault $e) {
        $jsonResponse = empty($e->getMessage()) ? JsonResponse::error(class_basename($e)) : JsonResponse::error($e->getMessage());
    }
    return $jsonResponse;
}

Can you get any more information from this library? `invalid_grant` may not be enough for readers to go on. Does it write a log file? — halfer, Jun 11 '18 at 11:26
No, there is only response. You should have integrate into laravel or lumen. — Anand Pandey, Jun 11 '18 at 13:17
OK, nevertheless, it still sounds like this is missing information to help you (and readers) debug. Is there a test OAuth server you can connect to, to see what thing it believes it is wrong? It seem you're debugging blind at present, and there must be a way to help you determine what bit is tripping you up. Is your OAuth against Twinfield, or another OAuth provider? — halfer, Jun 11 '18 at 13:22

score 1 · Answer 1 · answered Jun 14 '18 at 05:45

1

To start, invalid_grant is a standard OAuth 2.0 error parameter. Since OpenID Connect is build on OAuth 2.0, it's valid to receive this response. If you check the 5.2 Error Response section, you find below explanation

invalid_grant

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

As it explains, it could be anything from redirect URI, resource owner credentials. But I see some issue with your code related to authorization code.

    // Here pass the authorization code 
    $accessToken  = $provider->getAccessToken("authorization_code", ["code" =>'NLA000067']);

Are you using a hard coded authorization_code (NLA000067) ? This is wrong. First step of Authorization Code grant is to obtain the authorization code. Then only you can perform the token request. You obtain the authorization code from authorization request and I don't see you are doing that.

If this is the case, error response you are getting is completely valid. As explained above invalid_grant is resulted from invalid authorization code.

p.s- May be this link will guide you to correct the issue

answered Jun 14 '18 at 05:45

Kavindu Dodanduwa

9,413
2
26
40

It must given the office code there and it is 'NLA000067' please see the link https://github.com/php-twinfield/twinfield/issues/105 – Anand Pandey Jun 14 '18 at 06:11
@AnandPandey Are you sure ? And did you check the link - https://github.com/thephpleague/oauth2-client#usage ? Authorization code is not a constant .! At least that's not Oauth and OpenID Connect design it to be .! – Kavindu Dodanduwa Jun 14 '18 at 06:25
Well i am not sured bcaz i didnt work on that but seems like its given in example. I follow the example. – Anand Pandey Jun 14 '18 at 06:48
@AnandPandey Please follow the example I provided. That's the standard way to follow OpenID Connect Authorization code flow. – Kavindu Dodanduwa Jun 14 '18 at 06:53
I want to discuss something. Can we chat for now? – Anand Pandey Jun 14 '18 at 07:00
Did you see the example given here for oauth login? See link https://github.com/php-twinfield/twinfield They are the fellow developers who build and are successfully used this library. I made some mistake which is sure. But dont find the exact issue. – Anand Pandey Jun 14 '18 at 07:05
@AnandPandey I'm busy right now. And yes I saw their example. But still you have to obtain a valid authorization code first. As library's document shown here - https://github.com/thephpleague/oauth2-client#authorization-code-grant you should have an implementation similar to it. – Kavindu Dodanduwa Jun 14 '18 at 07:53
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/173186/discussion-between-kavindu-dodanduwa-and-anand-pandey). – Kavindu Dodanduwa Jun 15 '18 at 03:42

score 1 · Answer 2 · answered Feb 12 '19 at 14:16

@AnandPandey, follow the steps below

STEP 1:

You first need to build the url that you would invoke, to connect to Twinfield. And for doing that you should have the url as shown below.

https://login.twinfield.com/auth/authentication/connect/authorize?
client_id=Demorent
&client_secret=/iY7gyWn3Hkdgs4XzUG66SDyPNkk177x3A==
&redirect_uri=https://www.oauth.client.redirect.uri.com
&response_type=code
&force_login=0
&scope=openid+twf.user+twf.organisation+twf.organisationUser+offline_access
&state=STATELESS
&nonce=nonce

Note:

1) The redirect_uri needs to be exactly the same as that you have registered with Twinfield.

2) the scope parameter as shown above should be present and with the same value as it is given above

3) verify your client_id & client_secret

If all goes fine, you will be shown the Twinflield login page where in you need to login with your credentials. After successfull login you would be redirected to permission grants page to basically grant access to your application to access Twinfield data. Once you click on "Permit" you would be redirected back to the endpoint that you have specified with the authorization code.

STEP 2:

The next step is to invoke Twinfield accessTokenUri https://login.twinfield.com/auth/authentication/connect/token with the following headers

header.add("code",authorizationCodeFromStep1);
header.add("redirect_uri", yourRegisteredRedirectUri);
header.add("grant_type", "authorization_code");
header.add("client_id", "Demorent");
header.add("client_secret", "/iY7gyWn3Hkdgs4XzUG66SDyPNkk177x3A==");

If all the above parameters passed is correct, you would get a response back with id_token, accessToken, refreshToken, token_type and expires_in

"Invalid_grant" response when use Twinfield Openid Oauth connect

2 Answers2

Linked