cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MarkClaassen
Community Member

Getting "Invalid Access Token' when trying to access the user profile

Jump to solution

I am following the OAUTH flow, getting the code, then using that to get an access token.  However, the access token I get back does not work.  I have a feeling I am doing something wrong here, but am unclear what.  I have looked for other similar issues and can't quite find what I am looking for.

I am not sending any scopes in the login request.  When I get the code, I use it to get a token:

request {
  grant_type: 'authorization_code',
  client_id: '*****',
  client_secret: '*****',
  redirect_uri: '*****',
  code: '*****'
}

response {
  access_token: '**ACCESS TOKEN**',
  token_type: 'Bearer',
  user: {
    id: 2,
    name: 'Example Student',
    global_id: '*****',
    effective_locale: 'en'
  },
  refresh_token: '*****',
  expires_in: 3600
}

 

Then, I do another request, putting in the HTTP Header:

Authorization: 'Bearer **ACCESS TOKEN**'


I always get:
Error: failed [401] {"errors":[{"message":"Invalid access token."}]}

I created an access token from the development dashboard, and the API request works with that token (which is the same format as the one I get back in the OAUTH flow).


But that seems to defeat part of the purpose. It seems I would want to make the API calls as the user who is logged in, and not using my developer token.

Any guidance on what I am doing incorrectly would be greatly appreciated!

Labels (1)
Tags (2)
0 Kudos
1 Solution

Thanks for the reply!  The quotes were an artifact of how copying the information for my post and were not part of the actual header.  I should have been more careful when I made my post.

I also wrote to support and they were able to determine (from the logs) that I had the 'Test Cluster Only' setting enabled on my developer key.  I had not read into the environments that are included in the system.

https://community.canvaslms.com/t5/Canvas-Releases/What-is-the-Canvas-release-schedule-for-beta-prod...

All I needed to do was to either turn that setting off, or change my test code to access <domain>.test.instructure.com, instead of <domain>.instructure.com.

Again, thanks for the reply.  If the quotes had actually been part of my header, that would definitely have been a problem.

View solution in original post

2 Replies
joshua_lebo
Instructure
Instructure

Hello @MarkClaassen,

Looking through your steps above and the OAuth2 workflow docs here and here it sounds like you are making the correct requests to retrieve a valid access token. One thing I noticed is that you mention your header includes the following

Authorization: 'Bearer <ACCESS-TOKEN>'

If you change that to instead include the following (notice no quotes)

Authorization: Bearer <ACCESS-TOKEN>

are you able to successfully authenticate the API request? If not, what are the API endpoints you are making the request to with the token? Is that an API endpoint to which the user whose token you are using should have access?

0 Kudos

Thanks for the reply!  The quotes were an artifact of how copying the information for my post and were not part of the actual header.  I should have been more careful when I made my post.

I also wrote to support and they were able to determine (from the logs) that I had the 'Test Cluster Only' setting enabled on my developer key.  I had not read into the environments that are included in the system.

https://community.canvaslms.com/t5/Canvas-Releases/What-is-the-Canvas-release-schedule-for-beta-prod...

All I needed to do was to either turn that setting off, or change my test code to access <domain>.test.instructure.com, instead of <domain>.instructure.com.

Again, thanks for the reply.  If the quotes had actually been part of my header, that would definitely have been a problem.