При обмене кода на маркер доступа может возникнуть ряд дополнительных ошибок. Формат этих ответов зависит от передаваемого заголовка Accept.
Note: These examples only show JSON responses.
Incorrect client credentials
If the client_id and or client_secret you pass are incorrect you will
receive this error response.
{
"error": "incorrect_client_credentials",
"error_description": "The client_id and/or client_secret passed are incorrect.",
"error_uri": "/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#incorrect-client-credentials"
}
To solve this error, make sure you have the correct credentials for your OAuth app. Double check the client_id and client_secret to make sure they are correct and being passed correctly
to GitHub.
Redirect URI mismatch
If you provide a redirect_uri that doesn’t match what you’ve registered with your OAuth app, you’ll receive this error message:
{
"error": "redirect_uri_mismatch",
"error_description": "The redirect_uri MUST match the registered callback URL for this application.",
"error_uri": "/apps/managing-oauth-apps/troubleshooting-authorization-request-errors/#redirect-uri-mismatch2"
}
To correct this error, either provide a redirect_uri that matches what
you registered or leave out this parameter to use the default one
registered with your application.
Bad verification code
If the verification code you pass is incorrect, expired, or doesn’t
match what you received in the first request for authorization you will
receive this error.
{
"error": "bad_verification_code",
"error_description": "The code passed is incorrect or expired.",
"error_uri": "/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#bad-verification-code"
}
To solve this error, start the OAuth authorization process again
and get a new code.
Unverified user email
If the user for whom you are trying to generate a user access token has not verified their primary email address with GitHub, you will receive this error.
{
"error": "unverified_user_email",
"error_description": "The user must have a verified primary email.",
"error_uri": "/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#unverified_user_email"
}
To resolve this error, prompt the user to verify the primary email address on their GitHub account. For more information, see «Verifying your email address.»
Errors may happen in different layers. You may get notified in different ways
dependent on where the error happens.
Missing Required OAuth Parameters
If you forget to set the required OAuth parameters, such as the client_id or
scope, you’ll see an error message like below in your browser’s JavaScript
Console.
Fix OAuth Configuration Errors
Changes in the Google APIs console
may be required to resolve some errors.
- Creates a client ID if not yet.
- For popup UX, add all domains that may trigger the current flow to
Authorized JavaScript origins. - For redirect UX, add all URLs that may receive authorization responses to
Authorized redirect URIs. - Properly configure your OAuth Consent screen.
- Submit your app for verification if needed.
- You might need to take additional steps to comply with Google’s OAuth 2.0
Policies.
Invalid OAuth Parameter Values
If you set the invalid values to OAuth parameters, such as the invalid client id
, scope identifiers, or response type values, you’ll see the OAuth error page.
OAuth Error Responses
OAuth may return an error response, in which case your callback function
will be triggered with the error response as the parameter. The following is an
example OAuth error response.
{
"error":"access_denied"
}
Some examples are listed as below.
- The user denies the OAuth request.
- For an OAuth request with
prompt=noneparameter, the user is not
already authenticated and has not pre-configured consent for the requested
scopes.
The example below shows how to handle the success and error OAuth responses.
function myCallback(response) {
if (response.error) {
// Handle error response
... ...
} else if (response.code) {
// Handle success code response
... ...
}
}
Non-OAuth Errors
OAuth doesn’t define the behaviors when:
- the popup window fails to open.
- the popup window is closed before an OAuth response is returned.
This library captures these errors, and triggers the error_callback if
set. Be sure to check the error type like below. Otherwise, your code logic may
be affected when this library support new error types later.
function myErrorCallback(err) {
if (err.type == 'popup_failed_to_open') {
// The popup window is failed to open
... ...
} else if (err.type == 'popup_closed') {
// The popup window is closed before an OAuth response is returned
... ...
}
}
const client = google.accounts.oauth2.initCodeClient({
client_id: 'YOUR_GOOGLE_CLIENT_ID',
scope: 'https://www.googleapis.com/auth/calendar.readonly',
ux_mode: 'popup',
callback: myCallback,
error_callback: myErrorCallback
});
This page
applies to Apigee and Apigee hybrid.
View
Apigee Edge documentation.
This topic provides HTTP status codes and their related reason phrases you may encounter when
an OAuth policy throws errors in Apigee.
For guidance on handling errors, see Handling faults.
For policy-specific error codes, see
OAuth v2
policy error reference.
Invalid Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid redirection uri http://www.invalid_example.com"}
No Redirect URI
HTTP/1.1 400 Bad Request {"ErrorCode" : "invalid_request", "Error" :"Redirection URI is required"}
Invalid Key
HTTP/1.1 401 Unauthorized {"ErrorCode" : "invalid_request", "Error" :"Invalid client id : AVD7ztXReEYyjpLFkkPiZpLEjeF2aYAz. ClientId is Invalid"}
Missing Key
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : client_id"}
Invalid Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Response type must be code"}
Missing Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : response_type"}
Generate AccessToken
Invalid Auth Code
HTTP status: 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid Authorization Code"}
No Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : redirect_uri"}
Invalid Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid redirect_uri : oob"}
Invalid Client ID when
GenerateResponse is false
This error is returned when the <GenerateResponse> property is set to
false and the client credentials are invalid.
{
"fault": {
"faultstring": "Invalid client identifier {0}",
"detail": {
"errorcode": "oauth.v2.InvalidClientIdentifier"
}
}
}
Invalid Client ID when
GenerateResponse is true
This error is returned when the <GenerateResponse> property is set to
true and the client credentials are invalid.
{"ErrorCode" : "invalid_client", "Error" :"ClientId is Invalid"}
Invalid GrantType
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Unsupported grant type : client_credentials_invalid"}
No Username
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : username"}
No Password
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : password"}
No GrantType (Custom Policy)
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}
No AuthCode
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : code"}
Implicit
Invalid Client ID
HTTP/1.1 401 Unauthorized
{"ErrorCode" : "invalid_request", "Error" :"Invalid client id : AVD7ztXReEYyjpLFkkPiZpLEjeF2aYAz. ClientId is Invalid"}
No Client ID
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : client_id"}
Invalid Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Response type must be token"}
No Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : response_type"}
Invalid Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid redirection uri http://www.invalid_example.com"}
No Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Redirection URI is required"}
Refresh Token
Invalid RefreshToken
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid Refresh Token"}
Expired RefreshToken
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Refresh Token expired"}
Invalid Scope
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid Scope"}
Invalid Client ID when
GenerateResponse is false
This error is returned when the GenerateResponse property is set to false and
the client credentials are invalid.
{
"fault": {
"faultstring": "Invalid client identifier {0}",
"detail": {
"errorcode": "oauth.v2.InvalidClientIdentifier"
}
}
}
Invalid Client ID when
GenerateResponse is true
This error is returned when the GenerateResponse property is set to true and
the client credentials are invalid.
{"ErrorCode" : "invalid_client", "Error" :"ClientId is Invalid"}
Verify AccessToken
Invalid AccessToken
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Invalid Access Token","detail":{"errorcode":"keymanagement.service.invalid_access_token"}}}
Invalid Resource
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"APIResource \/facebook\/acer does not exist","detail":{"errorcode":"keymanagement.service.apiresource_doesnot_exist"}}}
Invalid Scope
HTTP/1.1 403 Forbidden
{"fault":{"faultstring":"Required scope(s) : VerifyAccessToken.scopeSet","detail":{"errorcode":"steps.oauth.v2.InsufficientScope"}}}
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.InvalidAccessToken"}}}
No match for ApiProduct
(With Env & Proxy Configured)
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Invalid API call as no apiproduct match found","detail":{"errorcode":"keymanagement.service.InvalidAPICallAsNoApiProductMatchFound"}}}
Access token expired
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Access Token expired","detail":{"errorcode":"keymanagement.service.access_token_expired"}}}
Access token revoked
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Access Token not approved","detail":{"errorcode":"keymanagement.service.access_token_not_approved"}}}
Get OAuth V2 Info
Invalid Refresh Token
HTTP/1.1 404 Not Found
{"fault::{"detail":{"errorcode":"keymanagement.service.invalid_refresh_token"},"faultstring":"Invalid Refresh Token"}}
Invalid Access Token
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Access Token",
"detail": {
"errorcode": "keymanagement.service.invalid_access_token"
}
}
}
Expired Access Token
HTTP/1.1 500 Not Found
{
"fault": {
"faultstring": "Access Token expired",
"detail": {
"errorcode": "keymanagement.service.access_token_expired"
}
}
}
Expired Refresh Token
HTTP/1.1 500 Not Found
{
"fault": {
"faultstring": "Refresh Token expired",
"detail": {
"errorcode": "keymanagement.service.refresh_token_expired"
}
}
}
Invalid Client ID
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Client Id",
"detail": {
"errorcode": "keymanagement.service.invalid_client-invalid_client_id"
}
}
}
Invalid Authorization Code
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Authorization Code",
"detail": {
"errorcode": "keymanagement.service.invalid_request-authorization_code_invalid"
}
}
}
Expired Authorization Code
HTTP/1.1 500 Not Found
{
"fault": {
"faultstring": "Authorization Code expired",
"detail": {
"errorcode": "keymanagement.service.authorization_code_expired"
}
}
}
Set OAuth V2 Info
Invalid Access Token
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Access Token",
"detail": {
"errorcode": "keymanagement.service.invalid_access_token"
}
}
}
Expired Access Token
HTTP/1.1 500 Not Found
{
"fault": {
"faultstring": "Access Token expired",
"detail": {
"errorcode": "keymanagement.service.access_token_expired"
}
}
}
Delete OAuth V2 Info
On success, the policy returns a 200 status.
On failure, the policy returns 404 and output similar to the following (depending on whether
you are deleting an access token or an auth code):
HTTP/1.1 404 Not Found
Content-Type: application/json
Content-Length: 144
Connection: keep-alive
{"fault":{"faultstring":"Invalid Authorization Code","detail":{"errorcode":"keymanagement.service.invalid_request-authorization_code_invalid"}}}
There are several cases where you may get an error response during authorization.
Errors are indicated by redirecting back to the provided redirect URL with additional parameters in the query string. There will always be an error parameter, and the redirect may also include error_description and error_uri.
For example,
https://example-app.com/cb?error=invalid_scope
Despite the fact that servers return an error_description key, the error description is not intended to be displayed to the user. Instead, you should present the user with your own error message. This allows you to tell the user an appropriate action to take to correct the problem, and also gives you a chance to localize the error messages if you’re building a multi-language website.
Invalid redirect URL
If the redirect URL provided is invalid, the authorization server will not redirect to it. Instead, it may display a message to the user describing the problem instead.
Unrecognized client_id
If the client ID is not recognized, the authorization server will not redirect the user. Instead, it may display a message describing the problem.
The user denies the request
If the user denies the authorization request, the server will redirect the user back to the redirect URL with error=access_denied in the query string, and no code will be present. It is up to the app to decide what to display to the user at this point.
Invalid parameters
If one or more parameters are invalid, such as a required value is missing, or the response_type parameter is wrong, the server will redirect to the redirect URL and include query string parameters describing the problem. The other possible values for the error parameter are:
invalid_request: The request is missing a required parameter, includes an invalid parameter value, or is otherwise malformed.
unauthorized_client: The client is not authorized to request an authorization code using this method.
unsupported_response_type: The authorization server does not support obtaining an authorization code using this method.
invalid_scope: The requested scope is invalid, unknown, or malformed.
server_error: The authorization server encountered an unexpected condition which prevented it from fulfilling the request.
temporarily_unavailable: The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
In addition, the server may include parameters error_description and error_uri with additional information about the error.
The authorization server responds with HTTP 400 or 401 status codes. Here, two cases take place, if an error occurs during the authorization. In the first case, the client is not identified or recognized. In the second case, something else fails in spite of the client being identified exactly. In such a case, an error response is sent back to the client as follows −
-
error_description − It is an optional human readable error description in a language specified by Content-Language header, which is meant for the developer and not the end user.
-
error_uri − It is an optional link to a human-readable web page along with information about an error that can be helpful for problem solving.
-
error − It is a set of predefined error codes.
Following is the description of error codes and equivalent HTTP status codes.
400 Errors
The following table shows 400 errors with description.
| Sr.No. | Error & Description |
|---|---|
| 1 |
unsupported_over_http OAuth 2.0 only supports the calls over https. |
| 2 |
version_rejected If an unsupported version of OAuth is supplied. |
| 3 |
parameter_absent If a required parameter is missing from the request. |
| 4 |
parameter_rejected When a given parameter is too long. |
| 5 |
invalid_client When an invalid client ID is given. |
| 6 |
invalid_request When an invalid request parameter is given. |
| 7 |
unsupported_response_type When a response type provided does not match that particular request. |
| 8 |
unsupported_grant_type When a grant type is provided that does not match a particular request. |
| 9 |
invalid_param When an invalid request parameter is provided. |
| 10 |
unauthorized_client When the client is not given the permission to perform some action. |
| 11 |
access_denied When the resource owner refuses the request for authorization. |
| 12 |
server_error This error displays an unexpected error. |
401 Errors
The following table shows 401 errors with description.
| Sr.No. | Error & Description |
|---|---|
| 1 |
token_expired When the provided token expires. |
| 2 |
invalid_token When the provided token is invalid. |
| 3 |
invalid_callback When the provided URI with the request does not match the consumer key. |
| 4 |
invalid_client_secret When the provided client server is invalid. |
| 5 |
invalid_grant When the provided token has either expired or is invalid. |
oauth2.0_client_credentials.htm
You’re viewing Apigee Edge documentation.
View Apigee X documentation.
This topic provides HTTP status codes and their related reason phrases you may encounter when
an OAuth policy throws errors in Apigee Edge.
For guidance on handling errors, see Handling faults.
For policy-specific error codes, see:
- OAuthV2 policy
- OAuth v1.0a policy
Invalid Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid redirection uri http://www.invalid_example.com"}
No Redirect URI
HTTP/1.1 400 Bad Request {"ErrorCode" : "invalid_request", "Error" :"Redirection URI is required"}
Invalid Key
HTTP/1.1 401 Unauthorized {"ErrorCode" : "invalid_request", "Error" :"Invalid client id : AVD7ztXReEYyjpLFkkPiZpLEjeF2aYAz. ClientId is Invalid"}
Missing Key
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : client_id"}
Invalid Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Response type must be code"}
Missing Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : response_type"}
Generate AccessToken
Invalid Auth Code
HTTP status: 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid Authorization Code"}
No Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : redirect_uri"}
Invalid Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid redirect_uri : oob"}
Invalid Client ID when
GenerateResponse is false
This error is returned when the <GenerateResponse> property is set to
false and the client credentials are invalid.
{
"fault": {
"faultstring": "Invalid client identifier {0}",
"detail": {
"errorcode": "oauth.v2.InvalidClientIdentifier"
}
}
}
Invalid Client ID when
GenerateResponse is true
This error is returned when the <GenerateResponse> property is set to
true and the client credentials are invalid.
{"ErrorCode" : "invalid_client", "Error" :"ClientId is Invalid"}
Invalid GrantType
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Unsupported grant type : client_credentials_invalid"}
No Username
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : username"}
No Password
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : password"}
No GrantType (Custom Policy)
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}
No AuthCode
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : code"}
Implicit
Invalid Client ID
HTTP/1.1 401 Unauthorized
{"ErrorCode" : "invalid_request", "Error" :"Invalid client id : AVD7ztXReEYyjpLFkkPiZpLEjeF2aYAz. ClientId is Invalid"}
No Client ID
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : client_id"}
Invalid Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Response type must be token"}
No Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : response_type"}
Invalid Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid redirection uri http://www.invalid_example.com"}
No Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Redirection URI is required"}
Refresh Token
Invalid RefreshToken
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid Refresh Token"}
Expired RefreshToken
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Refresh Token expired"}
Invalid Scope
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid Scope"}
Invalid Client ID when
GenerateResponse is false
This error is returned when the GenerateResponse property is set to false and
the client credentials are invalid.
{
"fault": {
"faultstring": "Invalid client identifier {0}",
"detail": {
"errorcode": "oauth.v2.InvalidClientIdentifier"
}
}
}
Invalid Client ID when
GenerateResponse is true
This error is returned when the GenerateResponse property is set to true and
the client credentials are invalid.
{"ErrorCode" : "invalid_client", "Error" :"ClientId is Invalid"}
Verify AccessToken
Invalid AccessToken
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Invalid Access Token","detail":{"errorcode":"keymanagement.service.invalid_access_token"}}}
Invalid Resource
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"APIResource /facebook/acer does not exist","detail":{"errorcode":"keymanagement.service.apiresource_doesnot_exist"}}}
Invalid Scope
HTTP/1.1 403 Forbidden
{"fault":{"faultstring":"Required scope(s) : VerifyAccessToken.scopeSet","detail":{"errorcode":"steps.oauth.v2.InsufficientScope"}}}
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.InvalidAccessToken"}}}
No match for ApiProduct
(With Env & Proxy Configured)
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Invalid API call as no apiproduct match found","detail":{"errorcode":"keymanagement.service.InvalidAPICallAsNoApiProductMatchFound"}}}
Access token expired
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Access Token expired","detail":{"errorcode":"keymanagement.service.access_token_expired"}}}
Access token revoked
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Access Token not approved","detail":{"errorcode":"keymanagement.service.access_token_not_approved"}}}
Get OAuth V2 Info
Invalid Refresh Token
HTTP/1.1 404 Not Found
{"fault::{"detail":{"errorcode":"keymanagement.service.invalid_refresh_token"},"faultstring":"Invalid Refresh Token"}}
Invalid Access Token
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Access Token",
"detail": {
"errorcode": "keymanagement.service.invalid_access_token"
}
}
}
Expired Access Token
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Access Token expired",
"detail": {
"errorcode": "keymanagement.service.access_token_expired"
}
}
}
Expired Refresh Token
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Refresh Token expired",
"detail": {
"errorcode": "keymanagement.service.refresh_token_expired"
}
}
}
Invalid Client ID
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Client Id",
"detail": {
"errorcode": "keymanagement.service.invalid_client-invalid_client_id"
}
}
}
Invalid Authorization Code
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Authorization Code",
"detail": {
"errorcode": "keymanagement.service.invalid_request-authorization_code_invalid"
}
}
}
Expired Authorization Code
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Authorization Code expired",
"detail": {
"errorcode": "keymanagement.service.authorization_code_expired"
}
}
}
Set OAuth V2 Info
Invalid Access Token
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Access Token",
"detail": {
"errorcode": "keymanagement.service.invalid_access_token"
}
}
}
Expired Access Token
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Access Token expired",
"detail": {
"errorcode": "keymanagement.service.access_token_expired"
}
}
}
Delete OAuth V2 Info
On success, the policy returns a 200 status.
On failure, the policy returns 404 and output similar to the following (depending on whether
you are deleting an access token or an auth code):
HTTP/1.1 404 Not Found
Content-Type: application/json
Content-Length: 144
Connection: keep-alive
{"fault":{"faultstring":"Invalid Authorization Code","detail":{"errorcode":"keymanagement.service.invalid_request-authorization_code_invalid"}}}
What is Error Response and Codes in OAuth 2.0?
- The authorization server has error response which responds with HTTP 400 or 401 status codes.
- If an error occurs during the authorization, two cases are given.
Case 1:
- The client is not identified or recognized by the authorization server.
Case 2:
- Despite the client being identified, some other error message is shown.
- If that is the case, an error response is sent back to the client which is given as follows:
- Hence it is required and is given as a set of predefined error codes.
Error description
- Error description is human readable error description given in the language specified by the Content-Language header
- The error description parameter is used only to include ASCII characters, and it should be given as a sentence or two when describing the circumstance of the error.
Error Uri
- This is given as a link to the human-readable web page which is given along with information about an error which can be helpful for problem solving.
- The error uri is a link to the API documentation for information as per how to correct the specfic error which was encountered.
- Error responses are returned with an HTTP 400 status code with error and error description parameters. The error parameters are given below as follows:
- invalid_request is the request which is missing a parameter so the server can’t proceed with the request.
- invalid_client is known for client authentication failed, such as the request contains an invalid client ID or secret.
- invalid_grant is given the authorization code which is said to be invalid or expired. This is also can be given as the error we would return if the redirect URL given in the authorization grant does not match the URL which is provided in the access token request.
- invalid_scope is done for access token requests that include a scope in which the error indicates an invalid scope value given in the request.
- unauthorized_client is the client who is not authorized to use the requested grant type.
- unsupported_grant_type is shown if a grant type is requested such that the authorization server does not recognize.
- The entire error response is returned as a JSON string, which is given similar to the successful response.
- Given below is an example of an error response.
Example:
HTTP/1.1 400 Bad Request
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"error": "invalid_request",
"error_description": "Request was missing the 'redirect_uri' parameter.",
"error_uri": "See the full API docs at
<https://authorization-server.com/docs/access_token>"
}
click below button to copy the code. By — oauth tutorial — oauth2 tutorial — team
- Description of error codes and equivalent HTTP status codes are given below in form of tables:
400 Errors
- The table which is given below shows us the description of 400 errors.
| Sr.No. | Error & Description |
|---|---|
| 1 | unsupported_over_http
OAuth 2.0 only supports the calls over https. |
| 2 | version_rejected
If an unsupported version of OAuth is supplied. |
| 3 | parameter_absent
If a required parameter is missing from the request. |
| 4 | parameter_rejected
When a given parameter is too long. |
| 5 | invalid_client
When an invalid client ID is given. |
| 6 | invalid_request
When an invalid request parameter is given. |
| 7 | unsupported_response_type
When a response type provided does not match that particular request. |
| 8 | unsupported_grant_type
When a grant type is provided that does not match a particular request. |
| 9 | invalid_param
When an invalid request parameter is provided. |
| 10 | unauthorized_client
When the client is not given the permission to perform some action. |
| 11 | access_denied
When the resource owner refuses the request for authorization. |
| 12 | server_error
This error displays an unexpected error. |
401 Errors
- The table which is given below shows us the description of 401 errors.
| Sr.No. | Error & Description |
|---|---|
| 1 | token_expired
When the provided token expires. |
| 2 | invalid_token
When the provided token is invalid. |
| 3 | invalid_callback
When the provided URI with the request does not match the consumer key. |
| 4 | invalid_client_secret
When the provided client server is invalid. |
| 5 | invalid_grant
When the provided token has either expired or is invalid. |
You’re
viewing Apigee and Apigee hybrid documentation.
View Apigee Edge documentation.
This topic provides HTTP status codes and their related reason phrases you may encounter when
an OAuth policy throws errors in Apigee.
For guidance on handling errors, see Handling faults.
For policy-specific error codes, see
OAuth v2
policy error reference.
Invalid Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid redirection uri http://www.invalid_example.com"}
No Redirect URI
HTTP/1.1 400 Bad Request {"ErrorCode" : "invalid_request", "Error" :"Redirection URI is required"}
Invalid Key
HTTP/1.1 401 Unauthorized {"ErrorCode" : "invalid_request", "Error" :"Invalid client id : AVD7ztXReEYyjpLFkkPiZpLEjeF2aYAz. ClientId is Invalid"}
Missing Key
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : client_id"}
Invalid Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Response type must be code"}
Missing Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : response_type"}
Generate AccessToken
Invalid Auth Code
HTTP status: 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid Authorization Code"}
No Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : redirect_uri"}
Invalid Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid redirect_uri : oob"}
Invalid Client ID when
GenerateResponse is false
This error is returned when the <GenerateResponse> property is set to
false and the client credentials are invalid.
{
"fault": {
"faultstring": "Invalid client identifier {0}",
"detail": {
"errorcode": "oauth.v2.InvalidClientIdentifier"
}
}
}
Invalid Client ID when
GenerateResponse is true
This error is returned when the <GenerateResponse> property is set to
true and the client credentials are invalid.
{"ErrorCode" : "invalid_client", "Error" :"ClientId is Invalid"}
Invalid GrantType
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Unsupported grant type : client_credentials_invalid"}
No Username
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : username"}
No Password
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : password"}
No GrantType (Custom Policy)
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}
No AuthCode
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Required param : code"}
Implicit
Invalid Client ID
HTTP/1.1 401 Unauthorized
{"ErrorCode" : "invalid_request", "Error" :"Invalid client id : AVD7ztXReEYyjpLFkkPiZpLEjeF2aYAz. ClientId is Invalid"}
No Client ID
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : client_id"}
Invalid Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Response type must be token"}
No Response Type
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"The request is missing a required parameter : response_type"}
Invalid Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid redirection uri http://www.invalid_example.com"}
No Redirect URI
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Redirection URI is required"}
Refresh Token
Invalid RefreshToken
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid Refresh Token"}
Expired RefreshToken
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Refresh Token expired"}
Invalid Scope
HTTP/1.1 400 Bad Request
{"ErrorCode" : "invalid_request", "Error" :"Invalid Scope"}
Invalid Client ID when
GenerateResponse is false
This error is returned when the GenerateResponse property is set to false and
the client credentials are invalid.
{
"fault": {
"faultstring": "Invalid client identifier {0}",
"detail": {
"errorcode": "oauth.v2.InvalidClientIdentifier"
}
}
}
Invalid Client ID when
GenerateResponse is true
This error is returned when the GenerateResponse property is set to true and
the client credentials are invalid.
{"ErrorCode" : "invalid_client", "Error" :"ClientId is Invalid"}
Verify AccessToken
Invalid AccessToken
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Invalid Access Token","detail":{"errorcode":"keymanagement.service.invalid_access_token"}}}
Invalid Resource
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"APIResource /facebook/acer does not exist","detail":{"errorcode":"keymanagement.service.apiresource_doesnot_exist"}}}
Invalid Scope
HTTP/1.1 403 Forbidden
{"fault":{"faultstring":"Required scope(s) : VerifyAccessToken.scopeSet","detail":{"errorcode":"steps.oauth.v2.InsufficientScope"}}}
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Invalid access token","detail":{"errorcode":"oauth.v2.InvalidAccessToken"}}}
No match for ApiProduct
(With Env & Proxy Configured)
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Invalid API call as no apiproduct match found","detail":{"errorcode":"keymanagement.service.InvalidAPICallAsNoApiProductMatchFound"}}}
Access token expired
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Access Token expired","detail":{"errorcode":"keymanagement.service.access_token_expired"}}}
Access token revoked
HTTP/1.1 401 Unauthorized
{"fault":{"faultstring":"Access Token not approved","detail":{"errorcode":"keymanagement.service.access_token_not_approved"}}}
Get OAuth V2 Info
Invalid Refresh Token
HTTP/1.1 404 Not Found
{"fault::{"detail":{"errorcode":"keymanagement.service.invalid_refresh_token"},"faultstring":"Invalid Refresh Token"}}
Invalid Access Token
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Access Token",
"detail": {
"errorcode": "keymanagement.service.invalid_access_token"
}
}
}
Expired Access Token
HTTP/1.1 500 Not Found
{
"fault": {
"faultstring": "Access Token expired",
"detail": {
"errorcode": "keymanagement.service.access_token_expired"
}
}
}
Expired Refresh Token
HTTP/1.1 500 Not Found
{
"fault": {
"faultstring": "Refresh Token expired",
"detail": {
"errorcode": "keymanagement.service.refresh_token_expired"
}
}
}
Invalid Client ID
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Client Id",
"detail": {
"errorcode": "keymanagement.service.invalid_client-invalid_client_id"
}
}
}
Invalid Authorization Code
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Authorization Code",
"detail": {
"errorcode": "keymanagement.service.invalid_request-authorization_code_invalid"
}
}
}
Expired Authorization Code
HTTP/1.1 500 Not Found
{
"fault": {
"faultstring": "Authorization Code expired",
"detail": {
"errorcode": "keymanagement.service.authorization_code_expired"
}
}
}
Set OAuth V2 Info
Invalid Access Token
HTTP/1.1 404 Not Found
{
"fault": {
"faultstring": "Invalid Access Token",
"detail": {
"errorcode": "keymanagement.service.invalid_access_token"
}
}
}
Expired Access Token
HTTP/1.1 500 Not Found
{
"fault": {
"faultstring": "Access Token expired",
"detail": {
"errorcode": "keymanagement.service.access_token_expired"
}
}
}
Delete OAuth V2 Info
On success, the policy returns a 200 status.
On failure, the policy returns 404 and output similar to the following (depending on whether
you are deleting an access token or an auth code):
HTTP/1.1 404 Not Found
Content-Type: application/json
Content-Length: 144
Connection: keep-alive
{"fault":{"faultstring":"Invalid Authorization Code","detail":{"errorcode":"keymanagement.service.invalid_request-authorization_code_invalid"}}}
Successful Response
If the request for an access token is valid, the authorization server needs to generate an access token (and optional refresh token) and return these to the client, typically along with some additional properties about the authorization.
The response with an access token should contain the following properties:
access_token(required) The access token string as issued by the authorization server.token_type(required) The type of token this is, typically just the string “Bearer”.expires_in(recommended) If the access token expires, the server should reply with the duration of time the access token is granted for.refresh_token(optional) If the access token will expire, then it is useful to return a refresh token which applications can use to obtain another access token. However, tokens issued with the implicit grant cannot be issued a refresh token.scope(optional) If the scope the user granted is identical to the scope the app requested, this parameter is optional. If the granted scope is different from the requested scope, such as if the user modified the scope, then this parameter is required.
When responding with an access token, the server must also include the additional Cache-Control: no-store HTTP header to ensure clients do not cache this request.
For example, a successful token response may look like the following:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"IwOGYzYTlmM2YxOTQ5MGE3YmNmMDFkNTVk",
"scope":"create"
}
Access Tokens
The format for OAuth 2.0 Bearer tokens is actually described in a separate spec, RFC 6750. There is no defined structure for the token required by the spec, so you can generate a string and implement tokens however you want. The valid characters in a bearer token are alphanumeric, and the following punctuation characters:
-._~+/
A simple implementation of Bearer Tokens is to generate a random string and store it in a database along with the associated user and scope information, or more advanced systems may use self-encoded tokens where the token string itself contains all the necessary info.
Unsuccessful Response
If the access token request is invalid, such as the redirect URL didn’t match the one used during authorization, then the server needs to return an error response.
Error responses are returned with an HTTP 400 status code (unless specified otherwise), with error and error_description parameters. The error parameter will always be one of the values listed below.
invalid_request– The request is missing a parameter so the server can’t proceed with the request. This may also be returned if the request includes an unsupported parameter or repeats a parameter.invalid_client– Client authentication failed, such as if the request contains an invalid client ID or secret. Send an HTTP 401 response in this case.invalid_grant– The authorization code (or user’s password for the password grant type) is invalid or expired. This is also the error you would return if the redirect URL given in the authorization grant does not match the URL provided in this access token request.invalid_scope– For access token requests that include a scope (password or client_credentials grants), this error indicates an invalid scope value in the request.unauthorized_client– This client is not authorized to use the requested grant type. For example, if you restrict which applications can use the Implicit grant, you would return this error for the other apps.unsupported_grant_type– If a grant type is requested that the authorization server doesn’t recognize, use this code. Note that unknown grant types also use this specific error code rather than using theinvalid_requestabove.
There are two optional parameters when returning an error response, error_description and error_uri. These are meant to give developers more information about the error, not intended to be shown to end users. However, keep in mind that many developers will pass this error text straight on to end users no matter how much you warn them, so it is a good idea to make sure it is at least somewhat helpful to end users as well.
The error_description parameter can only include ASCII characters, and should be a sentence or two at most describing the circumstance of the error. The error_uri is a great place to link to your API documentation for information about how to correct the specific error that was encountered.
The entire error response is returned as a JSON string, similar to the successful response. Below is an example of an error response.
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error": "invalid_request",
"error_description": "Request was missing the 'redirect_uri' parameter.",
"error_uri": "See the full API docs at https://authorization-server.com/docs/access_token"
}