invalid grant
33 views
Skip to first unread message
Vyshnu Nadiminti
Jan 11, 2023, 1:00:34 AM1/11/23
to Developer Group for CMS Blue Button API
Hi,
for token request i am getting data: { error: 'invalid_grant' } response
<clientSecret> : my client secret
<clientId> : my client Id
<redirect> : my redirect url
method: 'post',
url: 'https://sandbox.bluebutton.cms.gov/v2/o/token/',
data: 'grant_type=authorization_code&code=trsjhArNxTcGUepTHPJRyPcYUzeTtZ&redirect_uri=<redirect>&client_id=<clientId>&client_secret=<clientSecret>
url: 'https://sandbox.bluebutton.cms.gov/v2/o/token/',
data: 'grant_type=authorization_code&code=trsjhArNxTcGUepTHPJRyPcYUzeTtZ&redirect_uri=<redirect>&client_id=<clientId>&client_secret=<clientSecret>
Kirsten Hansen
Jan 11, 2023, 12:14:34 PM1/11/23
to Developer Group for CMS Blue Button API
Hello Vyshnu,
The Blue Button API does not allow the client secret to be in the URL parameter. This is per OAuth 2.0 best practices and is related to improved security. Instead, this should be passed via the body (e.g. form data) and/or headers part of the request.
Here is an example curl command doing token refresh, where data is sent in the body of the request (not as query parameters):
curl -s -w “%{http_code}” -X POST “${BB_SERVER}/v1/o/token/” \
-u “${BB_CLIENT_ID}:${BB_CLIENT_SECRET}” \
-d “grant_type=refresh_token&client_id=${BB_CLIENT_ID}&refresh_token=${REFRESH_TOKEN}”
-u “${BB_CLIENT_ID}:${BB_CLIENT_SECRET}” \
-d “grant_type=refresh_token&client_id=${BB_CLIENT_ID}&refresh_token=${REFRESH_TOKEN}”
Thank you for your post,
The Blue Button 2.0 Team
Kirsten Hansen, Product Manager
Blue Button 2.0
Reply all
Reply to author
Forward
0 new messages