401 with query access_token

I am getting a 401 from the /user endpoint when sending an access_token in the uri:

2016-06-11 12:51:01.969 DEBUG 3488 --- [io-8081-exec-10] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-06-11 12:51:01.970 DEBUG 3488 --- [io-8081-exec-10] o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'https://api.twitch.tv/kraken/oauth2/authorize?client_id=xxxxxxxxxxxxxxxxxxxxxxx&redirect_uri=https://mydomain.com/login/twitch/&response_type=code&scope=user_read&state=8w8rUS'
[...]
2016-06-11 13:05:20.522 DEBUG 7876 --- [nio-8081-exec-4] g.c.AuthorizationCodeAccessTokenProvider : Retrieving token from https://api.twitch.tv/kraken/oauth2/token
2016-06-11 13:05:20.522 DEBUG 7876 --- [nio-8081-exec-4] g.c.AuthorizationCodeAccessTokenProvider : Encoding and sending form: {grant_type=[authorization_code], code=[ob17wzii3jqkwznb7v4n86aowv3o0r], redirect_uri=[https://mydomain.com/login/twitch/], client_id=[xxxxxxxxxxxxxx], client_secret=[xxxxxxxxxxxxxxx]}
2016-06-11 13:05:21.246  INFO 7876 --- [nio-8081-exec-4] o.s.b.a.s.o.r.UserInfoTokenServices      : Getting user info from: https://api.twitch.tv/kraken/user
2016-06-11 13:05:21.247 DEBUG 7876 --- [nio-8081-exec-4] o.s.s.oauth2.client.OAuth2RestTemplate   : Created GET request for "https://api.twitch.tv/kraken/user?access_token=e0arsft35wcqr44v8rv5ohabo9p68r"
2016-06-11 13:05:21.248 DEBUG 7876 --- [nio-8081-exec-4] o.s.s.oauth2.client.OAuth2RestTemplate   : Setting request Accept header to [application/json, application/*+json]
2016-06-11 13:05:21.342 DEBUG 7876 --- [nio-8081-exec-4] o.s.s.oauth2.client.OAuth2RestTemplate   : GET request for "https://api.twitch.tv/kraken/user" resulted in 401 (Unauthorized); invoking error handler

direct http error:

{"error":"Unauthorized","status":401,"message":"Token invalid or missing required scope"}

API documentation says passing token in uri is valid, and I have the correct role when requesting token, am I missing anything obvious?

The query parameter name is oauth_token, not access_token.

3 Likes

Indeed it is, spring security uses access_token by default, as do the other end points I use.

Thank you very much.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.