question

dav1126 avatar image
dav1126 asked jcy edited

First token request not working on OAuth 2.0

I can't make the requests to get a first token to work in the new oauth flow. The old flow was working fine for me.

The only differences that I can see in the doc is that the production URL changed from https://www.clover.com to https://api.clover.com. The route changed from /oauth/token to /oauth/v2/token and the the request is now a POST instead of a GET. The params (client_id, client_secret and code) are now passed in the POST request body instead of the GET search params. They are the only changes I made. The new oauth API always returns :

401 {"status":"Unauthorized","message":"Failed to validate authentication code."}

It happens in sandbox and production environment. If it helps, doing the exact same resquest ( a POST with params in the body) on the old API route ( /oauth/token ) succeeds and gets me an access_token, but no refresh_token.

Prod app id: XX4047T4M54AY

OAuthaccess token
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

bryanvargas avatar image
bryanvargas answered submatic commented

Are using the new Authorization code that is generated from the authorize endpoint?

1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

submatic avatar image submatic commented ·

@bryanvargas I am encountering various issues with the OAuth 2 workflow. Does not work if done via the left pane logged in view. Yesterday it was working for me when initiated from my app but today it is not as there appears to be a 500 internal server error triggered on Clover's side when attempting to do the installation.

0 Likes 0 ·
submatic avatar image
submatic answered

Seems like it works if using https://apisandbox.dev.clover.com

Most of the documentation references the url https://sandbox.dev.clover.com

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

chiragclovercommunity avatar image
chiragclovercommunity answered jmalone30 commented

I am also facing the same issue for the first time I get the following error but second time I was able to verify code. Is there any fix I can use or is there any thing I have mis-configured?


 {"status":"Unauthorized","message":"Failed to validate authentication code."}


I am using this endpoint url to validate code:

https://apisandbox.dev.clover.com/oauth/v2/token
1 comment
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jmalone30 avatar image jmalone30 commented ·

Did you solve this issue? It is happening to me right now and I swear it was working last night!

0 Likes 0 ·
dsafonov avatar image
dsafonov answered

Yes we are also seeing this issue.


We send people to `www.clover.com/oauth/v2/authorize?client_id=...&state=...` and then when we get the code back, hitting `POST api.clover.com/oauth/v2/token` with the JSON payload returns back `Failed to validate authentication code.`


We then fall back to `GET https://www.clover.com/oauth/token` (v1) which still works to get `access_token` (even after Aug 1 2024) and then can use migrate flow to get the refresh token and then they're on v2 and everything's fine.


This is clearly not working right -- in sandbox, all of the above works perfectly first try, no need to fallback to v1 and no need to migrate.


Really glad not the only ones experiencing this issue.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jcy avatar image
jcy answered jcy edited

I haven't had this problem during testing in the past few days.

Both production and sandbox are fine


https://sandbox.dev.clover.com/oauth/v2/authorize?client_id=xxxx&redirect_uri=xxxx

https://apisandbox.dev.clover.com/oauth/v2/token


https://www.clover.com/oauth/v2/authorize?client_id=xxxx&redirect_uri=xxxx

https://api.clover.com/oauth/v2/token


token request body:

{
    "client_id": "xxxx",
    "client_secret": "xxxx",
    "code": "xxxx"
}


And!! OAuth v1 can still work normally, and the access token obtained before can still be used!

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

dsafonov avatar image
dsafonov answered

Someone in another thread said they can repro it if the app isn’t already installed on the merchant account. If you uninstall the app from the merchant account first, does it still work?

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jcy avatar image
jcy answered

Sorry, I can't test it. I don't have the permission to delete the APP in production.

But according to the clover document I read before, the auth code will not be returned if the app is not installed.

By the way, how long is the expiration time of everyone's v2 access token? The returned unix time shows that it expires in 30 minutes, but my test these days is 12 to 24 hours, so I don't know the pattern.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

dsafonov avatar image
dsafonov answered dsafonov edited

The auth code is returned if the app isn’t already installed - that’s the point (as long as the merchant does opt to install it!). The point I was making is that the auth code via v2/authorize seems to only work for v1 if the app wasn’t previously installed, but if the app was already installed, then the second time they get sent to v2/authorize it returns an auth code that works with v2. At least that seems to explain why it works perfectly for me in sandbox, why OP here says it works “second time”, etc. I also cannot test with a prod merchant (without asking a customer for their creds - no thanks!)


Re: expiry. I’m seeing +30min for access, +1yr for refresh. I refresh with 10min remaining to avoid having to lock/sync refreshes (the loser of a race to refresh can still use the old access token, so no need to avoid the race). Once someone is on v2 it actually works quite smooth. Just wish this authorize flow was either fixed or better documented. If I’m doing it wrong, I want to know!

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jcy avatar image
jcy answered jcy edited


Here is my situation.

The app has been installed on the clover machine. Whether I obtain the auth code through the OAuth v1 or OAuth v2 by URL, and then obtain the token, I can succeed.


the auth code via v2/authorize used for v1, I've never tried this before


Hope this helps

======

I saw you said that the old v1 token can still be used, even if the store has switched to v2 token


Now that I use v2 token, the old v1 token can also be used at the same time. Is this confirmed by clover? v1 token will never expire? I really want to keep using v1 token instead of changing to v2 token.


found this, "Current tokens are long lived"..


1722875733666.png


1722875733666.png (124.7 KiB)
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community