"Invalid_grant" response when use Twinfield Openid Oauth connect

Question

This is the library which I used https://github.com/php-twinfield/

It's an issue when I call the Oauth login. I have completed almost APIs with username and password but client wants it with Oauth. I think there is a problem in redirectUri. When I called Oauth it always show:

{
    "success": false,
    "error": "invalid_grant"
}

This is my credential. Clientid and clientsecret is obtained from mail and the redirect uri set from Openid Twinfield link. Please correct me if there is anything wrong in credential.

clientId : Demorent
clientSecret : /iY7gyWn3Hkdgs4XzUG66SDyPNkk177x3A==
redirectUri : https://www.oauth.client.redirect.uri.com

The code which are used:

public function login(\Illuminate\Http\Request $request)
{
    try {
        // In the $request param all the credential given
        $provider    = new \PhpTwinfield\Secure\Provider\OAuthProvider([
            'clientId'     => $request->clientId,
            'clientSecret' => $request->clientSecret,
            'redirectUri'  => $request->redirectUri
        ]);
        // Here pass the authorization code 
        $accessToken  = $provider->getAccessToken("authorization_code", ["code" =>'NLA000067']);
        $refreshToken = $accessToken->getRefreshToken();
        $office       = \PhpTwinfield\Office::fromCode("1008");
        $connection  = new \PhpTwinfield\Secure\OpenIdConnectAuthentication($provider, $refreshToken, $office);
        $customerApiConnector = new \PhpTwinfield\ApiConnectors\CustomerApiConnector($connection);
        $result = $customerApiConnector->get('1008',$office);
        $jsonResponse = JsonResponse::success($result);

    } catch(SoapFault $e) {
        $jsonResponse = empty($e->getMessage()) ? JsonResponse::error(class_basename($e)) : JsonResponse::error($e->getMessage());
    }
    return $jsonResponse;
}

Answer 1

To start, invalid_grant is a standard OAuth 2.0 error parameter. Since OpenID Connect is build on OAuth 2.0, it's valid to receive this response. If you check the 5.2 Error Response section, you find below explanation

invalid_grant

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

As it explains, it could be anything from redirect URI, resource owner credentials. But I see some issue with your code related to authorization code.

    // Here pass the authorization code 
    $accessToken  = $provider->getAccessToken("authorization_code", ["code" =>'NLA000067']);

Are you using a hard coded authorization_code (NLA000067) ? This is wrong. First step of Authorization Code grant is to obtain the authorization code. Then only you can perform the token request. You obtain the authorization code from authorization request and I don't see you are doing that.

If this is the case, error response you are getting is completely valid. As explained above invalid_grant is resulted from invalid authorization code.

p.s- May be this link will guide you to correct the issue

Answer 2

@AnandPandey, follow the steps below

STEP 1:

You first need to build the url that you would invoke, to connect to Twinfield. And for doing that you should have the url as shown below.

https://login.twinfield.com/auth/authentication/connect/authorize?
client_id=Demorent
&client_secret=/iY7gyWn3Hkdgs4XzUG66SDyPNkk177x3A==
&redirect_uri=https://www.oauth.client.redirect.uri.com
&response_type=code
&force_login=0
&scope=openid+twf.user+twf.organisation+twf.organisationUser+offline_access
&state=STATELESS
&nonce=nonce

Note:

1) The redirect_uri needs to be exactly the same as that you have registered with Twinfield.

2) the scope parameter as shown above should be present and with the same value as it is given above

3) verify your client_id & client_secret

If all goes fine, you will be shown the Twinflield login page where in you need to login with your credentials. After successfull login you would be redirected to permission grants page to basically grant access to your application to access Twinfield data. Once you click on "Permit" you would be redirected back to the endpoint that you have specified with the authorization code.

STEP 2:

The next step is to invoke Twinfield accessTokenUri https://login.twinfield.com/auth/authentication/connect/token with the following headers

header.add("code",authorizationCodeFromStep1);
header.add("redirect_uri", yourRegisteredRedirectUri);
header.add("grant_type", "authorization_code");
header.add("client_id", "Demorent");
header.add("client_secret", "/iY7gyWn3Hkdgs4XzUG66SDyPNkk177x3A==");

If all the above parameters passed is correct, you would get a response back with id_token, accessToken, refreshToken, token_type and expires_in