What URL are you sending people back to to have Apple deliver the authorization code to? That's the redirect URL, and you have to have configured it in the request and in the developer console anyway too.
I remembered why `redirect_uri` is optional in their docs 😂
They document both the auth code and refresh token request with the same list. You don't send the `redirect_uri` when using a refresh token, hence it's an optional parameter.
Ok I was curious so I tested myself. I get the `invalid_grant` error unless I include the `redirect_uri` in the POST request with the authorization code.
Last night at the #oredev speaker dinner I got to participate in either an old Swedish tradition or an elaborate prank they play on foreigners: alternating between the sauna and jumping into the Baltic Sea three times.
Either way it was a fun experience. 😆
Make sure to include exactly the claims in their docs. I was finding some JWT libraries would add their own stuff into it or change things around slightly. Probably easiest to verify by base64 decoding the claims after you generate it.
Huh I missed that in their docs. My next guess is your client secret JWT isn't being generated properly. Try generating it with the Ruby code in my post, it's very picky.
Slides from my "How to Hack OAuth" talk at #oredev are up!
speakerdeck.com/aaronpk/how-…
Thanks everyone for coming to watch and I hope you got something out of it! I'll post again when the video is out!
They pushed out some changes a little bit ago and I have been able to exchange the authorization code and get the user info now! I updated my post so maybe take a look through it again. developer.okta.com/blog/2019…
what the... this is literally something I dreamed about being able to do 20 years ago and never in a million years thought computers would be able to come close
Trying to use emoji in my slides and I have some questions:
1) why is there no "window" emoji
2) why is there a floor lamp in the couch 🛋 emoji
3) why is there only a lightbulb 💡 on, but not off
It's definitely mentioned as optional on the "Getting Started" page if that's what you were looking at. But in general you should also think of everything on the wiki as optional, because after all it's your website!
I'm curious what you read that suggested a URL shortener was a required step. I agree they're bad for the web, but I use them for other things like in slides and in print. If nothing else we should make it more obvious that nobody is suggesting a URL shortener is required.