Auth with todoist API: invalid_grant

Question

I'm adding the ability to post todos to my Todist list via a simple app. At the moment I am getting the response "error"=>"invalid_grant" when exchanging my code for an access_token.

I'm unsure exactly what 'invalid_grant' is referring too in this context. Other answers I find seem to be regarding various Google APIs. The Todoist API documentation makes no mention of it.

The post request for token exchange is:

uri = URI('https://todoist.com/oauth/access_token')
result = Net::HTTP.post_form(uri, client_id: ENV['TODOIST_CLIENT_ID'], client_secret: ENV['TODOIST_CLIENT_SECRET'], code: params[:code])
json_body = JSON.parse(result.body) # <- prints error

Any help understanding and solving this is much appreciated.

Update

After reading Takahiko Kawasaki's answer, I have updated the request to the following, but have the same error message.

uri = URI('https://todoist.com/oauth/access_token')
data = {
  :client_id => ENV['TODOIST_CLIENT_ID'],
  :client_secret => ENV['TODOIST_CLIENT_SECRET'],
  :code => params[:code],
  :grant_type => 'authorization_code',
}
result = Net::HTTP.post_form(uri, data)
json_body = JSON.parse(result.body)

Answer 1

Add the following.

grant_type: 'authorization_code'

See RFC 6749, 4.1.3. Access Token Request for details.

---

Additional comment for the revised question.

It seems that the OAuth implementation by Todoist is not mature. I took a look at their API document and soon found some violations against RFC 6749.

For example, (1) scopes must be delimited by spaces but their document says commas should be used. (2) Their token endpoint does not require the grant_type request parameter, which is required by the specification. (3) The value of the error parameter in the response from a token endpoint should be invalid_grant when the presented authorization code is wrong, but their API document says the value will be bad_authorization_code, which is not an official value.

In addition, this is not a violation, but the specification of their API to revoke access tokens implies that they don't know the existence of the official specification for access token revocation, RFC 7009.

For public clients (RFC 6749, 2.1. Client Types), e.g. smartphone applications, the client_secret request parameter of a token endpoint should be optional, but their API document says it is required.

Because their OAuth implementation does not comply with the specification, it would be better for you to ask Todoist directly.

Answer 2

The latest version of the Todoist API (v8) does not require the grant_type parameter so this is not currently the issue.

Two possible reasons for receiving the invalid_grant error are:

1. The code was not used within a certain length of time and has expired
2. The code has already been used to generate an access token and so is no longer valid

In both cases, generating a new code before making the POST request should sort the problem.