1

I am trying to generate an access and a refresh token using the new Xero authorization via OAuth 2.0 in Postman but the response is always "error": "invalid_client".

I've been following the instructions on https://developer.xero.com/documentation/oauth2/auth-flow, creating the verification code required for generating the access token and using the same client_id which was used for creating the verification code.

Code request:

https://login.xero.com/identity/connect/authorize?response_type=code&client_id=81158066DB8B43A9AEF0DDDCCA627E80&redirect_uri=https://google.com&scope=offline_access openid profile email accounting.transactions&state=123

Response with code:

https://www.google.com/?code=dcc89ab12dcbbbf8490cf5d608c9113fd2a08b89df21cd3083981d9626827130&scope=openid%20profile%20email%20accounting.transactions&state=123&session_state=GntauNK0X33LYCcKjEC4r-lKK9zSuJAPLsYQ14Tc0E8.9c96656e0bb655da4343a4c8e5fa12cb

Access Token request:

POST https://identity.xero.com/connect/token?grant_type=authorization_code&code=dcc89ab12dcbbbf8490cf5d608c9113fd2a08b89df21cd3083981d9626827130&redirect_uri=https://google.com

Headers:

Authorization: "Basic " + base64encode(81158066DB8B43A9AEF0DDDCCA627E80 + ":" + mRbxQuOQ01S8twNg1wxdkwIzrtWN8HGUpYu9wy5kYgFJf2t-)

Content-Type: application/x-www-form-urlencoded

When I use Basic Auth in Postman the response is "error": "unsupported_grant_type".

POST https://identity.xero.com/connect/token?grant_type=authorization_code&code=dcc89ab12dcbbbf8490cf5d608c9113fd2a08b89df21cd3083981d9626827130&redirect_uri=https://google.com

Headers:

Authorization: Basic ODExNTgwNjZEQjhCNDNBOUFFRjBERERDQ0E2MjdFODA6ZE5YY0V2UldqX2YwdVY4X3cyLS1wOTFvZHpOM2doaWN3WnJVM05jUzJjR2VpQVBp

Content-Type: application/x-www-form-urlencoded

Any idea what mistake I am doing?

Martin
  • 11
  • 1
  • 3
  • Have you put the grant_type, code and redirect_uri values in the body of the access token request? – rustyskates Aug 19 '19 at 07:36
  • Can you urgently delete your secret please? Remove it from this post and regenerate it on your app in developer.xero.com/myapps – Adam Moore Aug 19 '19 at 23:06
  • Hi @Martin, I have also try to generate accesstoken, refresh token . always get error like "invalid_client".i tried by passing grant_type, code and redirect_uri values in both body and Adam ways in below also. – Justin Dec 06 '20 at 22:24

2 Answers2

2

If you're using Postman to manually step through the auth flow, here's how you can request an access token :

On the Headers tab add the Authorization header with your encoded client id and secret (like you described) and the set the content type to application/x-www-form-urlencoded headers

Then on the Body tab choose the x-www-form-urlencoded radio button then set the grant_type to authorization_code, set your redirect_url and your code Body

All that said, you should only do this if you're troubleshooting the auth flow. If you just want to make API calls you should just use the OAuth2 helper on the Authorization tab https://learning.getpostman.com/docs/postman/sending_api_requests/authorization/#oauth-20

Adam Moore
  • 371
  • 1
  • 5
0

Can you check that your redirect_uri matches the redirect URI saved against your app, your client id is correct and the scopes are valid ?

VNirav
  • 64
  • 6