Error 400, error": "invalid_grant"
fapasv opened this issue · 7 comments
Hi! everyone... and help! when I'm trying to login, API always return
"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
Not sure if this issue is related to library but anyway, if could be either one of these:
- the client_id - client_secret pair don't match with each other
- the id-secret pair isn't for a password_client but for a personal_access_client (check those columns in the oauth_clients table)
- the password is wrong
change grant_type to 'client_credentials'
change grant_type to 'client_credentials'
@ruchisheth I was able to get a token using this grant type. However, the token doesn't work. It seems password grant is really the right option but it doesn't work for authentication. I tried a lot of different solutions but nothing worked. 😞
I finally was able to figure this out. I added a field to my users table literally called username. However, Passport tries to find users by email. Just adding a custom findForPassport method to my User class fixed the issue. And that's documented: https://laravel.com/docs/8.x/passport#customizing-the-username-field
Double check that the user's password is hashed in the database.
ISSUE: I forgot to hash the passwords on user registration:
public function register(RegisterRequest $request)
{
$user = User::create($request->all()); // The password is not hashed
return response()->json($user, 200);
}SOLUTION: Hash passwords:
public function register(RegisterRequest $request)
{
$user = User::create(
collect($request->all())
->merge(['password' => bcrypt($request->password)]) // The password is hashed
->toArray()
);
return response()->json($user, 200);
}To avoid this common issue, perhaps we default the password attribute in User to be hashed when stored in the database, perhaps via Mutator in the User model:
/**
* Set the user's password in Hashed format.
*
* @param string $value
* @return void
*/
public function setPasswordAttribute($value)
{
$this->attributes['password'] = $value ? bcrypt($value) : null;
}your password field shouldn't be empty, if you want to login and get access token token without password past the code in your user model
public function validateForPassportPasswordGrant($password) { return true; }
Hello everyone,
I'm getting this same error. I've verified that my issue is not what @santilorenzo suggested and tried the @straube solution and cannot resolve the issue. One thing I did notice and looks strange is in the oauth_clients table the column redirect URL is http://localhost but the API has been set up and installed all on a live domain https://api.< domain >.com. I'm not sure if this is part of the issue. I did change that to my actual domain and still did not resolve the issue. My passwords have also been hashed in the database by app('hash')->make('< password >') and verified with app('hash')->check('< password >', '< client_secret >') so that looks correct. My user's table is named [ Users ] in the database and I have a column named [ Username ] and a [ email ] column so I'm not sure if the case in the table name is the issue but in my user model I have protected $table = 'Users' and everything else seems to be working fine my UserFactory.php creates users for me so I don't think that is the issue. Anyway, if anyone has any ideas I'm all ears. :) thanks.
RESOLVED ISSUE
The database that I was working on had the password column named with capital P this was breaking $user->getAuthPassword() on line 63 in "laravel/passport/src/Bridge/UserRepository.php" I knew when I first started working on this project I was going to refactor all the column names but had not gotten to it. Now it's a priority. I'll just leave this here in case someone else gets punched in the eye with this issue.