Exchange code for token flow: 401 Unauthorized "invalid_grant"

[mgoodfellow]

Title: Exchange code for token flow: 401 Unauthorized "invalid_grant"

Issue found of:

Endpoint(s):

• POST /oauth2/token

Scope(s):

• Code retrieved from Connect Flow

Steps to reproduce:

Sporadic, but affects certain users with us repeatedly. Is there any reason a certain user would be unable to use our login flow repeatedly?

Most recent example for us is userId 91742971 - this failure happens on all login attempts with us.

Expected behaviour:

AccessToken provided as per normal response for 99% of users logging in

Actual behaviour:

401
{"error": "invalid_grant"}

[anikarni]

Hey @mgoodfellow , what's the grant type of the request (authorization_code, password, refresh_token...)? And is it the same as with other users?

[mgoodfellow]

Hi @anikarni this is using authorization_code

This is our core authentication code and it processes a significant number of logins daily. It's very strange, but we sometimes get sporadic failures as invalid_grant but normally a user retrying will work successfully.

This particular user above has never been able to login successfully.

From our own investigation, one possible cause of this error is when the code has already been "used", and cannot be exchanged again. In this instance it might be a client side issue (on our site, not SoundCloud's) where we re-request the auth flow on our server and causes this re-use, in turn leading to a failure.

I have not been able to conclusively prove anything, but I just found this particular case interesting as they have never been able to login through any of our portals (mobile or web).

From a API consumer perspective, it would be great to have some more error information as to the possible causes of this error. As a general question however, re-use causes it, but are there any other causes that can be defined to aid in our investigation?

Many thanks for the help!