I get Bad Request response from OAuth


Trying to obtain OAuth token from Mattermost, I get 400 Bad Request

Steps to reproduce

I have successfully sent a GET request to /oauth/authorize with response_type=code, client_id, redirect_url. Mattermost has called me back at the redirect_url, and sent a code in its GET request.

Then I POSTed to /oauth/authorize with a json object, but received a 400 Bad Request instead of the token information I expected. See log below.

Expected behavior

See above

Observed behavior

	Sent -> Method: POST, RequestUri: 'http://ubuntu:8065/oauth/authorize', Version: 2.0, Content: System.Net.Http.StringContent, Headers:
	  Authorization: Bearer (removed)
	  Accept: application/json
	  Accept: text/html
	  Accept: */*
	  User-Agent: XR
	  User-Agent: Mattermost
	  User-Agent: Tool
	  Content-Type: application/json; charset=utf-8
	  "grant_type": "authorization_code",
	  "client_id": "(removed)",
	  "redirect_uri": "http://localhost:9998/",
	  "client_secret": "(removed)",
	  "code": "(removed)"

The response was thus:

	Received -> StatusCode: 400, ReasonPhrase: 'Bad Request', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
	  X-Request-ID: tjpnqwkuyb8ffe3cxk35ydydsr
	  Date: Thu, 27 Jun 2019 16:30:36 GMT
	  Content-Type: text/html
	  Content-Length: 614

I just realised from studying the source that I should be calling oauth/access_token not oauth/authorize.

I changed that, and now I get a page containing “invalid_request: Bad grant_type”. Looking at the source, the grant_type should be ACCESS_TOKEN_GRANT_TYPE, and this is defined in access.go as "authorization_code". But that is what I am using, so I’m confused.

Hi @nikkilocke,

Is your issue related to Gitlab? Wondering if this might help: Bad response from token request after team creation auth.

No, nothing to do with GitLab. Just plain OAuth with Mattermost and my app.

Hi, @nikkilocke,

I’m a bit sorry to necrobump this thread, but I also had exactly this error, and this was the only place I found it described. In my case I am using some Python stolen from a blog[1] to implement OAuth via Mattermost, and I ran into this too.

I couldn’t get “Content-Type: application/json” to work but when I switched to “Content-Type: application/x-www-form-urlencoded” (and a url-encoded payload string, of course!) I could get the Mattermost oauth/access_token to understand my request.

(Apologies if I am the only person who still cares about this but I only just fixed the problem in my own case.)

[1] OAuth2 in Python | TestDriven.io