starred/OAuthSwift
1
0
Fork 0
mirror of https://github.com/OAuthSwift/OAuthSwift.git synced 2026-04-26 12:45:52 +03:00
Code Issues 56 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #636] getting OAuthSwiftError 11 with 400 and 401 status code with PKCE implementation #416

New issue
Open
opened 2026-03-03 16:48:30 +03:00 by kerem · 2 comments
kerem commented 2026-03-03 16:48:30 +03:00
Owner
Copy link

Originally created by @bhaveshopenxcell on GitHub (Nov 27, 2020).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/636

Originally assigned to: @phatblat on GitHub.

Description:

OAuthSwiftError 11 with 400 and 401 status code in PKCE method

OAuth Provider? (custome server):

OAuth Version:

  • Version 2

OS (Please fill the version) :

  • iOS :

Installation method:

  • [ x] CocoaPods

Library version:

  • v2.1.0

Xcode version:

  • 12.1 (Swift 5.2)
  • 11.3 (Swift 5)

requestError :- Error Domain=OAuthSwiftError Code=401 "The refresh token is invalid." UserInfo={OAuthSwiftError.response.data={length = 41, bytes = 0x7b226572 726f7222 3a225468 65207265 ... 76616c69 642e227d }, NSLocalizedDescription=The refresh token is invalid., Response-Headers={
"Cache-Control" = "no-store, no-cache, must-revalidate";
Connection = close;
"Content-Type" = "application/json; charset=UTF-8";
Date = "Fri, 27 Nov 2020 11:17:15 GMT";
Expires = "Thu, 19 Nov 1981 08:52:00 GMT";
Pragma = "no-cache";
Server = nginx;
"Set-Cookie" = "PWRD=8f47b5160c4a380aabd4bd3f25ecc323; expires=Sat, 28-Nov-2020 12:17:15 GMT; Max-Age=90000; path=/; domain=.arcgames.com";
"X-Domain" = "oauth.arcgames.com";
"X-ServerID" = "scweb04.pwedc.local";
}, NSErrorFailingURLKey=https://oauth.arcgames.com/token, OAuthSwiftError.response=<NSHTTPURLResponse: 0x600001c8a6e0> { URL: https://oauth.arcgames.com/token } { Status Code: 401, Headers {
"Cache-Control" = (
"no-store, no-cache, must-revalidate"
);
Connection = (
close
);
"Content-Type" = (
"application/json; charset=UTF-8"
);
Date = (
"Fri, 27 Nov 2020 11:17:15 GMT"
);
Expires = (
"Thu, 19 Nov 1981 08:52:00 GMT"
);
Pragma = (
"no-cache"
);
Server = (
nginx
);
"Set-Cookie" = (
"PWRD=8f47b5160c4a380aabd4bd3f25ecc323; expires=Sat, 28-Nov-2020 12:17:15 GMT; Max-Age=90000; path=/; domain=.arcgames.com"
);
"X-Domain" = (
"oauth.arcgames.com"
);
"X-ServerID" = (
"scweb04.pwedc.local"
);
} }, Response-Body={"error":"The refresh token is invalid."}} https://oauth.arcgames.com/token
load url https://oauth.arcgames.com/authorize?client_id=&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=721&code_challenge=7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU&code_challenge_method=S256&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&theme=passportmobile
844.0 390.0
url.scheme Optional("https")
url Optional(https://oauth.arcgames.com/authorize?client_id=&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=721&code_challenge=7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU&code_challenge_method=S256&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&theme=passportmobile)
url.scheme Optional("https")
url Optional(https://oauth.arcgames.com/authorize?client_id=******&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=721&code_challenge=7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU&code_challenge_method=S256&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&theme=passportmobile)

url Optional(pwe://oauth2redirect?code=def50200d65cd8b06ede2df268e7eef66f14dda4e430d07e777dfc1c8edc069e3811aef496e94b51c6fc7591be3566712038807d0e64f1c5627ba663a238a9c71189de6861a1e7fc5880b65c36dba66139aad5acf9cc4fe0a325c2a04eb9660fbd6aeec414bae07a7b1a9e3ffdf10b7a9d80d69cd90e0be91477c64e3fe03cb02a10bef0c89076f0eadac1d343a47eb2683a2dd882facf5b6c4d82b6b5eec95358715ec135edd7bf53c9363189ff617834699fb48ecae2b557ab838543032dc7de76559c0522a24fcfb84ee0949d68bb95cc0ccda44b7a7ef1ad7edd05bf623514ff69f8f57f961f9d63148ae4cbd006c2c8eab21adae62bacf53d76f2e4741884b54acf65254d8476eb37acca8bf28aec500d6256ca2f9788ea79506c4437cfa45158aade8221d91102caf222ff95630a4f53818f8086c0e7cc47c6a9ddbf722cac5996d569321d588bacd5a1745f2e5642499c378ca34d1005e9bf4773ac59235238e1dc29b055d81c89121faf992d956b540ce9f83ffcd66bb6ba4fd573ec822be1e50bb8c80cb5e4c1cc2255eb4d7dfefe5829a2c2ba86eba9ce06d0e7171819516fc7ebe0&state=721)

requestError :- Error Domain=OAuthSwiftError Code=400 "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client." UserInfo={OAuthSwiftError.response=<NSHTTPURLResponse: 0x600001c246e0> { URL: https://oauth.arcgames.com/token } { Status Code: 400, Headers {
"Cache-Control" = (
"no-store, no-cache, must-revalidate"
);
Connection = (
close
);
"Content-Type" = (
"application/json; charset=UTF-8"
);
Date = (
"Fri, 27 Nov 2020 11:17:38 GMT"
);
Expires = (
"Thu, 19 Nov 1981 08:52:00 GMT"
);
Pragma = (
"no-cache"
);
Server = (
nginx
);
"Set-Cookie" = (
"PWRD=6180f4f0a86770cf25c2c4e0db0ca263; expires=Sat, 28-Nov-2020 12:17:37 GMT; Max-Age=90000; path=/; domain=.arcgames.com"
);
"X-Domain" = (
"oauth.arcgames.com"
);
"X-ServerID" = (
"scweb16v.pwedc.local"
);
} }, NSErrorFailingURLKey=https://oauth.arcgames.com/token, OAuthSwiftError.response.data={length = 249, bytes = 0x7b226572 726f7222 3a225468 65207072 ... 6c69656e 742e227d }, Response-Body={"error":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}, NSLocalizedDescription=The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client., Response-Headers={
"Cache-Control" = "no-store, no-cache, must-revalidate";
Connection = close;
"Content-Type" = "application/json; charset=UTF-8";
Date = "Fri, 27 Nov 2020 11:17:38 GMT";
Expires = "Thu, 19 Nov 1981 08:52:00 GMT";
Pragma = "no-cache";
Server = nginx;
"Set-Cookie" = "PWRD=6180f4f0a86770cf25c2c4e0db0ca263; expires=Sat, 28-Nov-2020 12:17:37 GMT; Max-Age=90000; path=/; domain=.arcgames.com";
"X-Domain" = "oauth.arcgames.com";
"X-ServerID" = "scweb16v.pwedc.local";
}} https://oauth.arcgames.com/token

some time getting response code 400

when i logout from the app and clean browser data after try to login again i am getting below error so may be it related to PKCE and again i try with same email and password it worked so i am little bit confuse here because sometime it is working and sometime it is not working. below are the details for first try (failed) and second try (success )response….kindly review below and let us know if anything wrong with request

FIRST TRY >>>
Auth request >>
https://oauth.arcgames.com/authorize?client_id=*********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=47&code_challenge_method=S256&code_challenge=Ey1y4uauuED6fc-kvTo8dtG9uHth6rq7sWebMOinyHw&theme=passportmobile&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9)

Authorization code >>

pwe://oauth2redirect?code=def50200a656a6efaca693486473701470df495f50273298a22a9b453b46cda12f733ad5d75da19aff0278477d9fec326c7c66c13620850c830812d6b73c9051c9b3d2ce0a68cc40e89a0436c9e53fc72009dc589f70946362d818b501e3731620422cb5e042b14e10f28914b148534da82096c763ef79df9e73a84e40be9b93ef37173051dd13547eb61fab0db6025f3727981071bdd07716fb60c8919a95303dcb3c4c7b3a2a02725fea38995d2d6d1f688f522ef14a94dad2e17c1c3b5f6ea92ec77e0033a3fd51b76f34305c5693f646e35e16e8edce8b926802d43d431a766ebfd99537a485d26fc56d5ce30ce93e6fb8f33a3299c4c6f9a160cd9d861abe4de2e6ba97c242dc9a45b40c9f85770e99597548d959764fbcf7b141f026eb7683d0842ee102e40acf84278798406e8173d2e09a0be8ebf9cbf93d0d402f14c07da96c09aae3d3953810f63150a3c3ac4f6c5a8f5b4d14312f6ab0634796d3221c3eff032ca542c02af45826dc2cb3754abf35238ad8048fde03a0b036814db0cd4d2ae60dbda9736c16110472bc7b06b7ccf712e4c187884a647b8ec29eb362e4ff6ee65e12&state=47)

Error >>
Error Domain=OAuthSwiftError Code=400 “The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.” UserInfo={Response-Headers={
“Cache-Control” = “no-store, no-cache, must-revalidate”;
Connection = close;
“Content-Type” = “application/json; charset=UTF-8”;
Date = “Mon, 23 Nov 2020 12:24:44 GMT”;
Expires = “Thu, 19 Nov 1981 08:52:00 GMT”;
Pragma = “no-cache”;
Server = nginx;
“Set-Cookie” = “PWRD=d992e1b19a11c2e637d22b724e01c4ed; expires=Tue, 24-Nov-2020 13:24:43 GMT; Max-Age=90000; path=/; domain=.arcgames.com”;
“X-Domain” = “oauth.arcgames.com”;
“X-ServerID” = “scweb03.pwedc.local”;
}, OAuthSwiftError.response=<NSHTTPURLResponse: 0x600000eec800> { URL: https://oauth.arcgames.com/token } { Status Code: 400, Headers {
“Cache-Control” = (
“no-store, no-cache, must-revalidate”
);
Connection = (
close
);
“Content-Type” = (
“application/json; charset=UTF-8"
);
Date = (
“Mon, 23 Nov 2020 12:24:44 GMT”
);
Expires = (
“Thu, 19 Nov 1981 08:52:00 GMT”
);
Pragma = (
“no-cache”
);
Server = (
nginx
);
“Set-Cookie” = (
“PWRD=d992e1b19a11c2e637d22b724e01c4ed; expires=Tue, 24-Nov-2020 13:24:43 GMT; Max-Age=90000; path=/; domain=.arcgames.com”
);
“X-Domain” = (
“oauth.arcgames.com”
);
“X-ServerID” = (
“scweb03.pwedc.local”
);
} }, OAuthSwiftError.response.data={length = 249, bytes = 0x7b226572 726f7222 3a225468 65207072 ... 6c69656e 742e227d }, NSLocalizedDescription=The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client., Response-Body={“error”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.“}, NSErrorFailingURLKey=https://oauth.arcgames.com/token} https://oauth.arcgames.com/token
The operation couldn’t be completed. (OAuthSwiftError error -11.)

SECOND TRY >>>>

Auth request >>
https://oauth.arcgames.com/authorize?client_id=*********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=735&code_challenge=maXTf5gPffSMMRdXPk-43DwQL1ptJRNDouIAjLkGbHY&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&code_challenge_method=S256&theme=passportmobile

Authorization code >>
pwe://oauth2redirect?code=def50200d1cb6a878d98d6a91596499048f6b2f582664800775c808bfa550eb7a15f4911529bc3c881f94ea9f7c190ba1ba8ebf5b6fd2f9c1a81dd2ef1546aa9ed2ea26cbd480dbb14765d216a4bb1ba8c8de0e0ef820a69b77a3ec9034eb35dca67a55d71e604572fd6304c47a8ec11561dd3eac90c32fb9ccf26d490c9a984d5043c3bc1b2712185c7d97185bd153560ef3263324facca48dbea27e94fb5febe38a65c2e42f224e354e82e05b425ade736bf1e5aa88073ca4a35e92fb9b4a94dd860c3ec80501a2391de0bca36c0d77797a512df7115c7b94360314f93f1c4c6a14201820b44f29d9eb0434c3aa93296acfb0b7a1e198022355c43bd13427c5863227495d84478f1a346b593b031679ce9d68249d4f93e2f8bfe60186bf9ba8baf8b20e677a005d584ab98ce034080c8ceb6f3c53f541b44282629c6d4e8c86bdb59af86359228ae8e79ca30e824d5587c5ba191887d83138d87e3a8ed2e135a786bbc4f3e2744833af939bcc96b0fdd708ef42ac16de3230754704baa7ffe20b78c60cb9819f3a36f670b1a5d2dc839631ea2b91622f9f12c05d54dfe66947027f4aee2d568&state=735

Success Response
parameters:- [“refresh_token”: def50200c55f1f5255d4e4a7aa752ff29eb438ec0833ad8f3c53d688882091487a06ed55cbd61db0dc933ba1c6c1bcde09b5315de4da839fcd64506ef8b0ab06e614061535a6f9e7e05d0a302cc7b5d45fcc1d0c8ec1c4d7afe4eede7f8b9abd318ef4be3ca3c7eb124674b0ff7a1566f17a5d16ff930b3af8062a6f7613a4163700ae14b3ae6e61448dd2ea4aa53c72c5ca662fb73bd1729fdcdf3adefb2b00e8376c99811b456514df21885b083444e51786c2db92db6f897879cd12941563e1081a8176fac7ee0d7e051c9ef3d7b9127144ecb5c245f9e3323496394350ed1cfcb190cba435b48d3f475089f84dbc6739734b4ca389491bcce0123bf1edbbb1e1d07da82e9345868a8aa352c07d9c2356a18d3db12139edabdc2a1d6bb45035f704dd6a59cb1ad36361c1324715bcf8502636afeceb60002b3e29ab43dc3d539fec4c404916c4809f816e10da876336720ec8c672c991422aecf629fd7534da25f2b31bf2604e3e4fe468e29c99a7a0a6518b086a5b02e8bf61e96360cd19c5a84351273a918b0eb6, “token_type”: Bearer, “expires_in”: 10800, “access_token”: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJwdy1wYXNzcG9ydC1tb2JpbGUtZGV2IiwianRpIjoiNDc4NjAyY2UxNzBjY2NiNmYwOWIzN2E1ZTEyYTVjZTIxN2E3MmM3MWIzNWY4NTAwYjQ1YWI3YjhiZWY2YjhmNDYwMWFiYmEzNmFhMWY4MDQiLCJpYXQiOjE2MDYxMzQzMTQsIm5iZiI6MTYwNjEzNDMxNCwiZXhwIjoxNjA2MTQ1MTE0LCJzdWIiOiIxMjg4MzIxNjUiLCJzY29wZXMiOlsiaWQiLCJlbWFpbCJdfQ.R6YQjYxv4xcStUU2WZ09VSVWb2OX_h-oJ9isdpBhVHz8RWcRCcxgMbYNh1I3Vjb2eQAccaWuIVUv3B6qoH0_sYQmh43RUjge2HkZJfRJVPvhKbV__3iA__EKiA8ypm_iY5v6VkKoVJ-s75AsaZOxXtAYKOLYxKbu9u0S7d3Z3RLdDA_J9bVS8rCXH4uvNGDZkCuiZr9M7mCVZSVSTbcJ4ns2CxG_uwnn9ERRwVCr_HweH-PQVJTCMFxmPPh1cCqCJwwHSHvv0PhCZDyG09DJq17w4_lOnqeT-R6jxnGsqEcbO49Q7q4ou9vEu0YPC4Q-kpuAkPOErTNNNPzAFNX8rA]

Originally created by @bhaveshopenxcell on GitHub (Nov 27, 2020). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/636 Originally assigned to: @phatblat on GitHub. ### Description: OAuthSwiftError 11 with 400 and 401 status code in PKCE method ### OAuth Provider? (custome server): ### OAuth Version: - [x] Version 2 ### OS (Please fill the version) : - [x] iOS : ### Installation method: - [ x] CocoaPods ### Library version: - [x] v2.1.0 ### Xcode version: - [x] 12.1 (Swift 5.2) - [x] 11.3 (Swift 5) requestError :- Error Domain=OAuthSwiftError Code=401 "The refresh token is invalid." UserInfo={OAuthSwiftError.response.data={length = 41, bytes = 0x7b226572 726f7222 3a225468 65207265 ... 76616c69 642e227d }, NSLocalizedDescription=The refresh token is invalid., Response-Headers={ "Cache-Control" = "no-store, no-cache, must-revalidate"; Connection = close; "Content-Type" = "application/json; charset=UTF-8"; Date = "Fri, 27 Nov 2020 11:17:15 GMT"; Expires = "Thu, 19 Nov 1981 08:52:00 GMT"; Pragma = "no-cache"; Server = nginx; "Set-Cookie" = "PWRD=8f47b5160c4a380aabd4bd3f25ecc323; expires=Sat, 28-Nov-2020 12:17:15 GMT; Max-Age=90000; path=/; domain=.arcgames.com"; "X-Domain" = "oauth.arcgames.com"; "X-ServerID" = "scweb04.pwedc.local"; }, NSErrorFailingURLKey=https://oauth.arcgames.com/token, OAuthSwiftError.response=<NSHTTPURLResponse: 0x600001c8a6e0> { URL: https://oauth.arcgames.com/token } { Status Code: 401, Headers { "Cache-Control" = ( "no-store, no-cache, must-revalidate" ); Connection = ( close ); "Content-Type" = ( "application/json; charset=UTF-8" ); Date = ( "Fri, 27 Nov 2020 11:17:15 GMT" ); Expires = ( "Thu, 19 Nov 1981 08:52:00 GMT" ); Pragma = ( "no-cache" ); Server = ( nginx ); "Set-Cookie" = ( "PWRD=8f47b5160c4a380aabd4bd3f25ecc323; expires=Sat, 28-Nov-2020 12:17:15 GMT; Max-Age=90000; path=/; domain=.arcgames.com" ); "X-Domain" = ( "oauth.arcgames.com" ); "X-ServerID" = ( "scweb04.pwedc.local" ); } }, Response-Body={"error":"The refresh token is invalid."}} https://oauth.arcgames.com/token load url https://oauth.arcgames.com/authorize?client_id=***********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=721&code_challenge=7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU&code_challenge_method=S256&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&theme=passportmobile 844.0 390.0 url.scheme Optional("https") url Optional(https://oauth.arcgames.com/authorize?client_id=********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=721&code_challenge=7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU&code_challenge_method=S256&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&theme=passportmobile) url.scheme Optional("https") url Optional(https://oauth.arcgames.com/authorize?client_id=*********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=721&code_challenge=7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU&code_challenge_method=S256&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&theme=passportmobile) url Optional(pwe://oauth2redirect?code=def50200d65cd8b06ede2df268e7eef66f14dda4e430d07e777dfc1c8edc069e3811aef496e94b51c6fc7591be3566712038807d0e64f1c5627ba663a238a9c71189de6861a1e7fc5880b65c36dba66139aad5acf9cc4fe0a325c2a04eb9660fbd6aeec414bae07a7b1a9e3ffdf10b7a9d80d69cd90e0be91477c64e3fe03cb02a10bef0c89076f0eadac1d343a47eb2683a2dd882facf5b6c4d82b6b5eec95358715ec135edd7bf53c9363189ff617834699fb48ecae2b557ab838543032dc7de76559c0522a24fcfb84ee0949d68bb95cc0ccda44b7a7ef1ad7edd05bf623514ff69f8f57f961f9d63148ae4cbd006c2c8eab21adae62bacf53d76f2e4741884b54acf65254d8476eb37acca8bf28aec500d6256ca2f9788ea79506c4437cfa45158aade8221d91102caf222ff95630a4f53818f8086c0e7cc47c6a9ddbf722cac5996d569321d588bacd5a1745f2e5642499c378ca34d1005e9bf4773ac59235238e1dc29b055d81c89121faf992d956b540ce9f83ffcd66bb6ba4fd573ec822be1e50bb8c80cb5e4c1cc2255eb4d7dfefe5829a2c2ba86eba9ce06d0e7171819516fc7ebe0&state=721) requestError :- Error Domain=OAuthSwiftError Code=400 "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client." UserInfo={OAuthSwiftError.response=<NSHTTPURLResponse: 0x600001c246e0> { URL: https://oauth.arcgames.com/token } { Status Code: 400, Headers { "Cache-Control" = ( "no-store, no-cache, must-revalidate" ); Connection = ( close ); "Content-Type" = ( "application/json; charset=UTF-8" ); Date = ( "Fri, 27 Nov 2020 11:17:38 GMT" ); Expires = ( "Thu, 19 Nov 1981 08:52:00 GMT" ); Pragma = ( "no-cache" ); Server = ( nginx ); "Set-Cookie" = ( "PWRD=6180f4f0a86770cf25c2c4e0db0ca263; expires=Sat, 28-Nov-2020 12:17:37 GMT; Max-Age=90000; path=/; domain=.arcgames.com" ); "X-Domain" = ( "oauth.arcgames.com" ); "X-ServerID" = ( "scweb16v.pwedc.local" ); } }, NSErrorFailingURLKey=https://oauth.arcgames.com/token, OAuthSwiftError.response.data={length = 249, bytes = 0x7b226572 726f7222 3a225468 65207072 ... 6c69656e 742e227d }, Response-Body={"error":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}, NSLocalizedDescription=The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client., Response-Headers={ "Cache-Control" = "no-store, no-cache, must-revalidate"; Connection = close; "Content-Type" = "application/json; charset=UTF-8"; Date = "Fri, 27 Nov 2020 11:17:38 GMT"; Expires = "Thu, 19 Nov 1981 08:52:00 GMT"; Pragma = "no-cache"; Server = nginx; "Set-Cookie" = "PWRD=6180f4f0a86770cf25c2c4e0db0ca263; expires=Sat, 28-Nov-2020 12:17:37 GMT; Max-Age=90000; path=/; domain=.arcgames.com"; "X-Domain" = "oauth.arcgames.com"; "X-ServerID" = "scweb16v.pwedc.local"; }} https://oauth.arcgames.com/token **some time getting response code 400** when i logout from the app and clean browser data after try to login again i am getting below error so may be it related to PKCE and again i try with same email and password it worked so i am little bit confuse here because sometime it is working and sometime it is not working. below are the details for first try (failed) and second try (success )response….kindly review below and let us know if anything wrong with request **FIRST TRY >>>** **Auth request >>** https://oauth.arcgames.com/authorize?client_id=*********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=47&code_challenge_method=S256&code_challenge=Ey1y4uauuED6fc-kvTo8dtG9uHth6rq7sWebMOinyHw&theme=passportmobile&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9) **Authorization code >>** pwe://oauth2redirect?code=def50200a656a6efaca693486473701470df495f50273298a22a9b453b46cda12f733ad5d75da19aff0278477d9fec326c7c66c13620850c830812d6b73c9051c9b3d2ce0a68cc40e89a0436c9e53fc72009dc589f70946362d818b501e3731620422cb5e042b14e10f28914b148534da82096c763ef79df9e73a84e40be9b93ef37173051dd13547eb61fab0db6025f3727981071bdd07716fb60c8919a95303dcb3c4c7b3a2a02725fea38995d2d6d1f688f522ef14a94dad2e17c1c3b5f6ea92ec77e0033a3fd51b76f34305c5693f646e35e16e8edce8b926802d43d431a766ebfd99537a485d26fc56d5ce30ce93e6fb8f33a3299c4c6f9a160cd9d861abe4de2e6ba97c242dc9a45b40c9f85770e99597548d959764fbcf7b141f026eb7683d0842ee102e40acf84278798406e8173d2e09a0be8ebf9cbf93d0d402f14c07da96c09aae3d3953810f63150a3c3ac4f6c5a8f5b4d14312f6ab0634796d3221c3eff032ca542c02af45826dc2cb3754abf35238ad8048fde03a0b036814db0cd4d2ae60dbda9736c16110472bc7b06b7ccf712e4c187884a647b8ec29eb362e4ff6ee65e12&state=47) **Error >>** Error Domain=OAuthSwiftError Code=400 “The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.” UserInfo={Response-Headers={ “Cache-Control” = “no-store, no-cache, must-revalidate”; Connection = close; “Content-Type” = “application/json; charset=UTF-8”; Date = “Mon, 23 Nov 2020 12:24:44 GMT”; Expires = “Thu, 19 Nov 1981 08:52:00 GMT”; Pragma = “no-cache”; Server = nginx; “Set-Cookie” = “PWRD=d992e1b19a11c2e637d22b724e01c4ed; expires=Tue, 24-Nov-2020 13:24:43 GMT; Max-Age=90000; path=/; domain=.arcgames.com”; “X-Domain” = “oauth.arcgames.com”; “X-ServerID” = “scweb03.pwedc.local”; }, OAuthSwiftError.response=<NSHTTPURLResponse: 0x600000eec800> { URL: https://oauth.arcgames.com/token } { Status Code: 400, Headers { “Cache-Control” = ( “no-store, no-cache, must-revalidate” ); Connection = ( close ); “Content-Type” = ( “application/json; charset=UTF-8" ); Date = ( “Mon, 23 Nov 2020 12:24:44 GMT” ); Expires = ( “Thu, 19 Nov 1981 08:52:00 GMT” ); Pragma = ( “no-cache” ); Server = ( nginx ); “Set-Cookie” = ( “PWRD=d992e1b19a11c2e637d22b724e01c4ed; expires=Tue, 24-Nov-2020 13:24:43 GMT; Max-Age=90000; path=/; domain=.arcgames.com” ); “X-Domain” = ( “oauth.arcgames.com” ); “X-ServerID” = ( “scweb03.pwedc.local” ); } }, OAuthSwiftError.response.data={length = 249, bytes = 0x7b226572 726f7222 3a225468 65207072 ... 6c69656e 742e227d }, NSLocalizedDescription=The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client., Response-Body={“error”:“The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.“}, NSErrorFailingURLKey=https://oauth.arcgames.com/token} https://oauth.arcgames.com/token The operation couldn’t be completed. (OAuthSwiftError error -11.) **SECOND TRY >>>>** **Auth request >>** https://oauth.arcgames.com/authorize?client_id=*********&redirect_uri=pwe://oauth2redirect&response_type=code&scope=id%20email&state=735&code_challenge=maXTf5gPffSMMRdXPk-43DwQL1ptJRNDouIAjLkGbHY&Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9&code_challenge_method=S256&theme=passportmobile **Authorization code >>** pwe://oauth2redirect?code=def50200d1cb6a878d98d6a91596499048f6b2f582664800775c808bfa550eb7a15f4911529bc3c881f94ea9f7c190ba1ba8ebf5b6fd2f9c1a81dd2ef1546aa9ed2ea26cbd480dbb14765d216a4bb1ba8c8de0e0ef820a69b77a3ec9034eb35dca67a55d71e604572fd6304c47a8ec11561dd3eac90c32fb9ccf26d490c9a984d5043c3bc1b2712185c7d97185bd153560ef3263324facca48dbea27e94fb5febe38a65c2e42f224e354e82e05b425ade736bf1e5aa88073ca4a35e92fb9b4a94dd860c3ec80501a2391de0bca36c0d77797a512df7115c7b94360314f93f1c4c6a14201820b44f29d9eb0434c3aa93296acfb0b7a1e198022355c43bd13427c5863227495d84478f1a346b593b031679ce9d68249d4f93e2f8bfe60186bf9ba8baf8b20e677a005d584ab98ce034080c8ceb6f3c53f541b44282629c6d4e8c86bdb59af86359228ae8e79ca30e824d5587c5ba191887d83138d87e3a8ed2e135a786bbc4f3e2744833af939bcc96b0fdd708ef42ac16de3230754704baa7ffe20b78c60cb9819f3a36f670b1a5d2dc839631ea2b91622f9f12c05d54dfe66947027f4aee2d568&state=735 **Success Response** parameters:- [“refresh_token”: def50200c55f1f5255d4e4a7aa752ff29eb438ec0833ad8f3c53d688882091487a06ed55cbd61db0dc933ba1c6c1bcde09b5315de4da839fcd64506ef8b0ab06e614061535a6f9e7e05d0a302cc7b5d45fcc1d0c8ec1c4d7afe4eede7f8b9abd318ef4be3ca3c7eb124674b0ff7a1566f17a5d16ff930b3af8062a6f7613a4163700ae14b3ae6e61448dd2ea4aa53c72c5ca662fb73bd1729fdcdf3adefb2b00e8376c99811b456514df21885b083444e51786c2db92db6f897879cd12941563e1081a8176fac7ee0d7e051c9ef3d7b9127144ecb5c245f9e3323496394350ed1cfcb190cba435b48d3f475089f84dbc6739734b4ca389491bcce0123bf1edbbb1e1d07da82e9345868a8aa352c07d9c2356a18d3db12139edabdc2a1d6bb45035f704dd6a59cb1ad36361c1324715bcf8502636afeceb60002b3e29ab43dc3d539fec4c404916c4809f816e10da876336720ec8c672c991422aecf629fd7534da25f2b31bf2604e3e4fe468e29c99a7a0a6518b086a5b02e8bf61e96360cd19c5a84351273a918b0eb6, “token_type”: Bearer, “expires_in”: 10800, “access_token”: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJwdy1wYXNzcG9ydC1tb2JpbGUtZGV2IiwianRpIjoiNDc4NjAyY2UxNzBjY2NiNmYwOWIzN2E1ZTEyYTVjZTIxN2E3MmM3MWIzNWY4NTAwYjQ1YWI3YjhiZWY2YjhmNDYwMWFiYmEzNmFhMWY4MDQiLCJpYXQiOjE2MDYxMzQzMTQsIm5iZiI6MTYwNjEzNDMxNCwiZXhwIjoxNjA2MTQ1MTE0LCJzdWIiOiIxMjg4MzIxNjUiLCJzY29wZXMiOlsiaWQiLCJlbWFpbCJdfQ.R6YQjYxv4xcStUU2WZ09VSVWb2OX_h-oJ9isdpBhVHz8RWcRCcxgMbYNh1I3Vjb2eQAccaWuIVUv3B6qoH0_sYQmh43RUjge2HkZJfRJVPvhKbV__3iA__EKiA8ypm_iY5v6VkKoVJ-s75AsaZOxXtAYKOLYxKbu9u0S7d3Z3RLdDA_J9bVS8rCXH4uvNGDZkCuiZr9M7mCVZSVSTbcJ4ns2CxG_uwnn9ERRwVCr_HweH-PQVJTCMFxmPPh1cCqCJwwHSHvv0PhCZDyG09DJq17w4_lOnqeT-R6jxnGsqEcbO49Q7q4ou9vEu0YPC4Q-kpuAkPOErTNNNPzAFNX8rA]
kerem commented 2026-03-03 16:48:31 +03:00
Author
Owner
Copy link

@phatblat commented on GitHub (May 5, 2021):

Wow, that's a lot to read through, but a fantastic amount of detail! Intermittent issues are such a pain.

Let me see if I understand what's detailed above.

  1. HTTP 401: "The refresh token is invalid."
  2. https://oauth.arcgames.com/authorize
    • ?client_id=*********
    • &redirect_uri=pwe://oauth2redirect
    • &response_type=code
    • &scope=id%20email
    • &state=721
    • &code_challenge_method=S256
    • &code_challenge= 7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU
    • &Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9
    • &theme=passportmobile
  3. pwe://oauth2redirect?code=...&state=721
    • Was this a 302 redirect with the above custom scheme redirect URL?
  4. PUT?

    Error Domain=OAuthSwiftError Code=400 "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
    The operation couldn’t be completed. (OAuthSwiftError error -11.)

  5. logout from the app and clean browser data

FIRST TRY

  1. https://oauth.arcgames.com/authorize
    • ?client_id=*********
    • &redirect_uri=pwe://oauth2redirect
    • &response_type=code
    • &scope=id%20email
    • &state=47
    • &code_challenge_method=S256
    • &code_challenge= Ey1y4uauuED6fc-kvTo8dtG9uHth6rq7sWebMOinyHw
    • &Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9
    • &theme=passportmobile
  2. pwe://oauth2redirect?code=...&state=47
  3. PUT? https://oauth.arcgames.com/token

    Status Code: 400 Error Domain=OAuthSwiftError Code=400 “The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”

SECOND TRY

  1. https://oauth.arcgames.com/authorize
    • ?client_id=*********
    • &redirect_uri=pwe://oauth2redirect
    • &response_type=code
    • &scope=id%20email
    • &state=735
    • &code_challenge_method=S256
    • &code_challenge= maXTf5gPffSMMRdXPk-43DwQL1ptJRNDouIAjLkGbHY
    • &Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9
    • &theme=passportmobile
  2. pwe://oauth2redirect?code=...&state=735
  3. PUT https://oauth.arcgames.com/token
  4. Success
    • "refresh_token": ...
    • "token_type": Bearer
    • "expires_in": 10800,
    • "access_token": (decoded)
{
  "aud": "pw-passport-mobile-dev",
  "jti": "478602ce170cccb6f09b37a5e12a5ce217a72c71b35f8500b45ab7b8bef6b8f4601abba36aa1f804",
  "iat": 1606134314,
  "nbf": 1606134314,
  "exp": 1606145114,
  "sub": "128832165",
  "scopes": [
    "id",
    "email"
  ]
}

Does it always fail with a 400 on the first auth attempt after logout and cleaning Safari data?

The error message lists a few things that could be causing the error.

  • authorization grant (e.g., authorization code, resource owner credentials) or
  • refresh token
  • redirection URI
  • ... was issued to another client.

If there was a problem with the authorization code, that would be an issue on the server that created it (unless there's some encoding error happening to the redirect URL). The refresh token isn't being passed in the token call so I'm not sure why it's mentioned. Your redirect_uri looks the same each time it appears.

The last bit about something being issued to another client could be a clue that your IdP couldn't match up the token endpoint call to the previous authorization endpoint call.

Could you take a close look at the code_verifier values that are sent to the token endpoint? If somehow that value was encoded wrong or had invalid characters, that could explain the error.

<!-- gh-comment-id:832423306 --> @phatblat commented on GitHub (May 5, 2021): Wow, that's a lot to read through, but a fantastic amount of detail! Intermittent issues are such a pain. Let me see if I understand what's detailed above. 1. HTTP 401: "The refresh token is invalid." - `NSErrorFailingURLKey` = https://oauth.arcgames.com/token - **This error is expected if the saved refresh token had expired or been revoked.** 2. https://oauth.arcgames.com/authorize - ?client_id=********* - &redirect_uri=pwe://oauth2redirect - &response_type=code - &scope=id%20email - &state=721 - &code_challenge_method=S256 - &code_challenge= `7SpRIIXzmVQtQ5t0xBFHIs-lduzRy4d9A5nbKxd7CKU` - &Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9 - &theme=passportmobile 3. pwe://oauth2redirect?code=...&state=721 - ❓ **Was this a 302 redirect with the above custom scheme redirect URL?** 4. PUT? > Error Domain=OAuthSwiftError Code=400 "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. > The operation couldn’t be completed. (OAuthSwiftError error -11.) 5. logout from the app and clean browser data ### FIRST TRY 7. https://oauth.arcgames.com/authorize - ?client_id=********* - &redirect_uri=pwe://oauth2redirect - &response_type=code - &scope=id%20email - &state=47 - &code_challenge_method=S256 - &code_challenge= `Ey1y4uauuED6fc-kvTo8dtG9uHth6rq7sWebMOinyHw` - &Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9 - &theme=passportmobile 8. pwe://oauth2redirect?code=...&state=47 9. PUT? https://oauth.arcgames.com/token > Status Code: 400 Error Domain=OAuthSwiftError Code=400 “The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.” ### SECOND TRY 11. https://oauth.arcgames.com/authorize - ?client_id=********* - &redirect_uri=pwe://oauth2redirect - &response_type=code - &scope=id%20email - &state=735 - &code_challenge_method=S256 - &code_challenge= `maXTf5gPffSMMRdXPk-43DwQL1ptJRNDouIAjLkGbHY` - &Device-Id=997A05E0-1C16-4B83-99B0-BBEC3925CED9 - &theme=passportmobile 12. pwe://oauth2redirect?code=...&state=735 13. ❓ **PUT** https://oauth.arcgames.com/token 13. Success - "refresh_token": ... - "token_type": Bearer - "expires_in": 10800, - "access_token": (decoded) ```json { "aud": "pw-passport-mobile-dev", "jti": "478602ce170cccb6f09b37a5e12a5ce217a72c71b35f8500b45ab7b8bef6b8f4601abba36aa1f804", "iat": 1606134314, "nbf": 1606134314, "exp": 1606145114, "sub": "128832165", "scopes": [ "id", "email" ] } ``` Does it always fail with a 400 on the first auth attempt after logout and cleaning Safari data? The error message lists a few things that could be causing the error. - authorization grant (e.g., **authorization code**, ~resource owner credentials~) or - refresh token - redirection URI - ... was issued to another client. If there was a problem with the authorization code, that would be an issue on the server that created it (unless there's some encoding error happening to the redirect URL). The refresh token isn't being passed in the token call so I'm not sure why it's mentioned. Your `redirect_uri` looks the same each time it appears. The last bit about something being issued to another client could be a clue that your IdP couldn't match up the `token` endpoint call to the previous `authorization` endpoint call. Could you take a close look at the `code_verifier` values that are sent to the `token` endpoint? If somehow that value was encoded wrong or had invalid characters, that could explain the error.
kerem commented 2026-03-03 16:48:31 +03:00
Author
Owner
Copy link

@phatblat commented on GitHub (May 5, 2021):

What product or IdP service are you using for your OAuth server? It looks a bit odd that several responses are setting the PWRD cookie.

"Set-Cookie" = "PWRD=8f47b5160c4a380aabd4bd3f25ecc323; expires=Sat, 28-Nov-2020 12:17:15 GMT; Max-Age=90000; path=/; domain=.arcgames.com"
"Set-Cookie" = "PWRD=6180f4f0a86770cf25c2c4e0db0ca263; expires=Sat, 28-Nov-2020 12:17:37 GMT; Max-Age=90000; path=/; domain=.arcgames.com"
“Set-Cookie” = “PWRD=d992e1b19a11c2e637d22b724e01c4ed; expires=Tue, 24-Nov-2020 13:24:43 GMT; Max-Age=90000; path=/; domain=.arcgames.com”

This makes it look like OAuthSwift isn't returning cookies that are set by the server. If your server/service requires this cookie to be present on subsequent requests throughout the authorization code flow, then maybe this is why it isn't able to match up the authorization and token requests.

<!-- gh-comment-id:832427185 --> @phatblat commented on GitHub (May 5, 2021): What product or IdP service are you using for your OAuth server? It looks a bit odd that several responses are setting the `PWRD` cookie. ``` "Set-Cookie" = "PWRD=8f47b5160c4a380aabd4bd3f25ecc323; expires=Sat, 28-Nov-2020 12:17:15 GMT; Max-Age=90000; path=/; domain=.arcgames.com" "Set-Cookie" = "PWRD=6180f4f0a86770cf25c2c4e0db0ca263; expires=Sat, 28-Nov-2020 12:17:37 GMT; Max-Age=90000; path=/; domain=.arcgames.com" “Set-Cookie” = “PWRD=d992e1b19a11c2e637d22b724e01c4ed; expires=Tue, 24-Nov-2020 13:24:43 GMT; Max-Age=90000; path=/; domain=.arcgames.com” ``` This makes it look like OAuthSwift isn't returning cookies that are set by the server. If your server/service requires this cookie to be present on subsequent requests throughout the authorization code flow, then maybe this is why it isn't able to match up the `authorization` and `token` requests.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
ci/action/danger
ci/action/release-drafter
pkce
ci/action/tvos
ci/travis
2.1.0
2.0.0
fix/fitbiterror
swift3
digu-demo
swift3.0objc
swift2.2
swift2.3
swift2.0
2.2.0
2.1.2
2.1.1
2.1.0
2.0.1
2.0.0
1.4.1
1.4.0
1.3.0
1.2.2
1.2.1
1.2.0
1.1.2
1.1.1
1.1.0
1.0.0
0.6.0
0.5.2
v0.5.2
0.5.1
0.5.0
0.4.8
0.4.6
v0.4.6
0.4.5
v0.4.5
0.4.4
v0.4.4
0.4.3
0.4.2
0.4.1
v0.4.1
0.4.0
v0.4.0
Swift1.x
0.3.7
v0.3.7
0.3.6
v0.3.6
0.3.5
v0.3.5
0.3.4
v0.3.4
0.3.3
v0.3.3
v0.3.2
0.3.2
0.3.1
v0.3.1
0.3.0
v0.3.0
0.2.1
0.2.0
v0.2.0
0.1.9
0.1.8
0.1.7
v0.1.7
v0.1.6
Labels
Clear labels   
bug

   
cocoapod

   
duplicate

   
enhancement

   
feature-request

   
help wanted

   
help wanted

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wontfix
No labels
bug
cocoapod
duplicate
enhancement
feature-request
help wanted
help wanted
invalid
pull-request
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/OAuthSwift#416
No description provided.