[Stripe Connect] "Authorization code has already been used" error

[Xuan Wu]

Hi,

I'm new to Stripe Connect, and am trying to build a marketplace.

I have a button for the vendors to connect to Stripe when they're logged in.  When the button is clicked, it leads to connect.stripe.com/oauth/authorize.  After bypassing the registration form (since I'm in dev mode), I get redirected to my callback with a code (which I have verified changes each time I try to connect via oauth).  However, when I tried to issue the POST request to get the access token using this code, I get an invalid grant error with the following description:

This authorization code has already been used. All tokens issued with this code have been revoked.

I'm using the following line in my Rails omniauth callback controller:

@stripe_code = params[:code]

customer = ActiveSupport::JSON.decode(`curl -X POST https://connect.stripe.com/oauth/token -d client_secret=#{ENV['STRIPE_SECRET_KEY']} -d code=#{@stripe_code} -d grant_type=authorization_code`)

I feel like I'm missing something very obvious...

Thanks in advance!

Xuan

[Devin Ceartas]

> --
> You received this message because you are subscribed to the Google
> Groups "Stripe API Discussion" group.
> To post to this group, send email to api-d...@lists.stripe.com.
> Visit this group at
> http://groups.google.com/a/lists.stripe.com/group/api-discuss/.
>
> To unsubscribe from this group and stop receiving emails from it, send
> an email to api-discuss...@lists.stripe.com.

So is STRIPE_SECRET_KEY getting set to the key returned from the call by
connect.stripe.com/oauth/authorize each time? Can you log the literal
text in that cURL call instead of passing it to rails, then copy/paste
try the cURL from the command line?


devin
--
contact info: http://nacredata.com/devin
gpg public key: http://www.nacredata.com/public_key.txt
Use unique, strong passwords! https://www.nacredata.com/password.php

[Brian Krausz]

Hi Xuan,

Stripe returns that error message the second time a call to /oauth/token is made with the same authorization code. If you make the same curl request twice, it will stop the key from working.

Are you possibly issuing the request multiple times (perhaps by refreshing the page)?

Thanks,

Brian

--

[Xuan Wu]

Hi Devin,

Thanks for the quick response.  I may be missing something here, but I thought that connect.stripe.com/oauth/authorize only returned code as the parameter, and not also a secret key.  The secret key used for the curl call, according to the docs here (https://stripe.com/docs/connect/oauth), is my Test Secret Key.

As you suggested, I outputted the literal text, and then c/p it into the command line, and get the same error.

Xuan

[Xuan Wu]

Hi Brian,

Thanks for your suggestion.  I did what Devin asked me to do above (which is to prevent Rails from calling curl, and just copy and paste the command into my terminal), and still got the same error, so I don't think it's a duplicate request issue.

Any other suggestions appreciated.

Thanks,

Xuan

[Vladimir Andrijevik]

Hi Xuan,

You mentioned that you have that code running in your Omniauth callback controller. Does this mean you are using an OAuth2 strategy within Omniauth (such as https://github.com/intridea/omniauth-oauth2 or something that builds on it)?

If you are doing that, Omniauth already does the auth_code to access_token exchange for you, as you can see on https://github.com/intridea/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L75 which calls https://github.com/intridea/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L91-L94

Therefore, Omniauth uses up your auth_code before you make your curl request, which is why you are getting the error you mentioned.

If you are doing this in Ruby, I strongly suggest against parsing JSON that you get by running curl in a separate process (like in your code example), and instead recommend using an OAuth2 library, as shown on https://stripe.com/docs/connect/oauth#sample-code. Alternatively, you can use Omniauth with an OAuth2 based strategy, depending on which of these better suits your workflow.

Hope this helps!

Cheers,
Vlad

[Xuan Wu]

Hi Vlad,

Sorry, I didn't get the chance to look into your answer until now.  Indeed, I was using the omniauth-stripe-connect gem for Rails, and now that you explained that Omniauth uses up the auth_code, my error and the code reference I was looking at makes a lot of sense now.  I'll try it out and post back my results and any clarifications for future people who stumble on this problem.

Thanks,

Xuan

[Xuan Wu]

Good news: it seems to work.  For anyone using Rails and the omniauth-stripe-connect gem, it seems oauth does the curl call already, as Vlad said, and access_token is returned in request.env["omniauth.auth"]['credentials']['token'], and the publishable_key is returned in request.env["omniauth.auth"]['info']['stripe_publishable_key'].

I was just thrown off by all the different terminology used across the web: token, access_token, access_code.