OAuth2 3LO Unable to exchange code for access token

Jira Development Jira Cloud
1

I am having an issue trying to build an app around the 3LO OAuth2 flow.

I get the initial Authorization URL from my App page with the OAuth scopes of read:jira-user and read:jira-work. I get a URL back with a code in it. I then take the code and attempt to generate the access_token through postman:

curl -X POST \
  https://auth.atlassian.com/oauth/token \
  -H 'Content-Type: application/json' \
  -H 'Postman-Token: eed93904-fed4-4592-8341-94a984fa527e' \
  -H 'X-Atlassian-Token: no-check' \
  -H 'cache-control: no-cache' \
  -d '{
	"grant_type":"authorization_code",
	"client_id:":"xxx",
	"client_secret":"xxx",
	"code":"xxx",
	"redirect_uri":"https://localhost:9998/jira"
}'

With the sensitive data removed above.

The response I get back from the server is a 401 with the following body:

{
    "error": "access_denied",
    "error_description": "Unauthorized"
}

What am I doing wrong as if I can’t get a proper OAuth2 token I can’t start building my app.

Thanks

Jeff

2

@haskovec Thanks for reaching out. It took me a while to spot what was triggering the error you see :slight_smile: Your payload is mostly correct, apart from the client_id line where you have an extra colon in the key.

Here’s the command with the typo fixed:

curl -X POST \
  https://auth.atlassian.com/oauth/token \
  -H 'Content-Type: application/json' \
  -H 'Postman-Token: eed93904-fed4-4592-8341-94a984fa527e' \
  -H 'X-Atlassian-Token: no-check' \
  -H 'cache-control: no-cache' \
  -d '{
	"grant_type":"authorization_code",
	"client_id":"xxx",
	"client_secret":"xxx",
	"code":"xxx",
	"redirect_uri":"https://localhost:9998/jira"
}'

Let me know if this fixes for you! I’ll meanwhile work to the team to provide more helpful error messages.

2 Likes
3

That totally fixed it for me thank you so much!

I think when I get a 401 that isn’t intuitive for this situation. It feels like a better error would be a 400 so that I would know that there was something wrong with my request.

In any event I got a new code, scoped with read:jira_users, read:jira_work, and offline access and received back my access token and refresh token as expected.

Thank you so much for your help with this matter,

Jeffrey Haskovec

1 Like