Invalid grant when generating refresh token using auth code

[xingster]

Hi there,

I have a client developed using Expo, and I used AuthSession to generate the auth code successfully after logging in. However, I'm getting a error "invalid_grant" when trying to exchange the auth code for a refresh token using the /api/token endpoint.

const fetchToken = async () => {
        try {
          const formData = new URLSearchParams();
          formData.append('grant_type', 'authorization_code');
          formData.append('code', code);
          formData.append('redirect_uri', 'http://localhost:8081');
          formData.append('client_id', 'tD68RPWo3JAmqIaqHGKr013mbydBYAwc3C2ScV2IBxs');
          formData.append('client_secret', 'ijzXzLF-xPA-WvVWmWSPgPOSK_Dk94nTqnzzoFfwd0U');
          const tokenResponse = await axios.post('http://localhost:8000/api/token', formData, {
            headers: {
              'Content-Type': 'application/x-www-form-urlencoded',
            },
          });
          setAccessToken(tokenResponse.data.access_token);
          // Navigate to the main app screen
          navigation.replace('Main');
        } catch (error) {
          if (axios.isAxiosError(error)) {
            console.error('Axios error:', error.response?.data);
          } else {
            console.error('Unexpected error:', error);
          }
        }
      };

I've checked the data and headers compared to my working auth flow in the backend FastAPI swagger docs, and they look about the same. Also made sure that the redirect uri is configured in the client redirect links on Fief admin portal. I think that the auth code may be incorrect, but I'm not sure how to debug this. Any help would be really appreciated. Thank you!

[fief-bailiff[bot]]

Hail, @xingster 👋 Welcome to Fief's kingdom!

Our team will get back to you very soon to help.

In the meantime, take a minute to star our repository ⭐️

Want to support us?

Subscribe to one of our paid plan to help us continue our work and receive exclusive information and benefits! Starts at $5/month 🪙

Farewell!

[frankie567]

I would check two things:

1. Make sure the redirect_uri is exactly the same as the one you passed to /authorize (they must match)
2. Make sure Expo doesn't trigger the request twice (some frameworks might do it in dev mode)

[xingster]

Thanks! Those two were both correct, but I figured out the issue. It was defaulting PKCE to true during the /authorize request. Once I set it to false I was able to generate the refresh token.