Getting Status Code: 403 when trying to hit access token endpoint

Hi , I am getting the same response while exchanging authorization code with the access token via the token end point. The above solution did not worked for me.

I am developing a iOS SDK for Authentication and authorization for my organisation.
For API calls i am using Alamofire.
Deployment target is iOS 11.4
Below are the details for each of my webservice calls :

Authn endpoint request:

$ curl -v 
-X POST
-b “proximity_beb48734015c875160c574c2696a4f68=Ej60dXl725NxOJ0C6TgeKyDHKkJMPV4YpgMHAuXzLsKdpa25jeuSBgIgFOwXy5fnoDY3f7BAlTfOtVjAjTuIdf3xsZXAy6NHP9TKbhxZvLa62cYvmQ/X2ARMwV8sJtzwK0CeEwdqanhIwblGYOpcCtRHoqkJqqfWgZnDhqZTwcplCoNNK3FFtVaH53jsqZXY;DT=DI0YLv4MQBGQlusEP4JiLfBCg”
-H “Content-Type: application/json”
-H “Accept-Language: en;q=1.0”
-H “User-Agent: AuthenticationSample/1.0 (PB.AuthenticationSample; build:1; iOS 11.4.0) Alamofire/4.8.0”
-H “Accept-Encoding: gzip;q=1.0, compress;q=0.5”
-d “{“username”:“XXX@XXX.com”,“password”:“somepassword”}”
"https://{domain}/api/v1/authn"

Response:

<NSHTTPURLResponse: 0x610000026280> { URL: https://{domain}/api/v1/authn } { Status Code: 200, Headers {
“Cache-Control” = (
“no-cache, no-store”
);
Connection = (
“Keep-Alive”
);
“Content-Encoding” = (
gzip
);
“Content-Type” = (
“application/json;charset=UTF-8”
);
Date = (
“Thu, 03 Jan 2019 07:30:41 GMT”
);
Expires = (
0
);
“Keep-Alive” = (
“timeout=315, max=200”
);
P3P = (
“CP=“HONK””
);
Pragma = (
“no-cache”
);
“Public-Key-Pins-Report-Only” = (
“pin-sha256=“jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc=”; pin-sha256=“axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8=”; pin-sha256=“SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE=”; pin-sha256=“ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw=”; max-age=60; report-uri=“https://okta.report-uri.io/r/default/hpkp/reportOnly””
);
Server = (
nginx
);
“Set-Cookie” = (
“sid=”"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/",
“JSESSIONID=F731CD24B428B6D2ACD6E807E0F50900; Path=/; Secure; HttpOnly”
);
“Strict-Transport-Security” = (
“max-age=315360000”
);
“Transfer-Encoding” = (
Identity
);
Vary = (
“Accept-Encoding”
);
“X-Content-Type-Options” = (
nosniff
);
“X-Okta-Request-Id” = (
XC26IGe1wfLFB5epb2v0BgAAAbQ
);
“X-Rate-Limit-Limit” = (
600
);
“X-Rate-Limit-Remaining” = (
592
);
“X-Rate-Limit-Reset” = (
1546500685
);
} }

Authorize request:

$ curl -v
-b “JSESSIONID=F731CD24B428B6D2ACD6E807E0F50900;proximity_beb48734015c875160c574c2696a4f68=Ej60dXl725NxOJ0C6TgeKyDHKkJMPV4YpgMHAuXzLsKdpa25jeuSBgIgFOwXy5fnoDY3f7BAlTfOtVjAjTuIdf3xsZXAy6NHP9TKbhxZvLa62cYvmQ/X2ARMwV8sJtzwK0CeEwdqanhIwblGYOpcCtRHoqkJqqfWgZnDhqZTwcplCoNNK3FFtVaH53jsqZXY;DT=DI0YLv4MQBGQlusEP4JiLfBCg”
-H “Accept-Language: en;q=1.0”
-H “Set-Cookie: sid=”"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/, JSESSIONID=F731CD24B428B6D2ACD6E807E0F50900; Path=/; Secure; HttpOnly"
-H “User-Agent: AuthenticationSample/1.0 (PB.AuthenticationSample; build:1; iOS 11.4.0) Alamofire/4.8.0”
-H “Accept-Encoding: gzip;q=1.0, compress;q=0.5”
"https://{domain}/oauth2/v1/authorize?state=staticState&prompt=none&response_type=code&redirect_uri={redirect_uri}&client_id={client_it}&nonce=staticNonce&sessionToken={session_token}&response_mode=query&scope=openid%20offline_access"

Response:

<NSHTTPURLResponse: 0x610000026bc0> { URL: https://{domain}/oauth2/v1/authorize?state=staticState&amp;prompt=none&amp;response_type=code&amp;redirect_uri={redirect_uri}&amp;client_id={client_id}&amp;nonce=staticNonce&amp;sessionToken={token}&amp;response_mode=query&amp;scope=openid%20offline_access } { Status Code: 302, Headers {
“Cache-Control” = (
“no-cache, no-store”
);
Connection = (
“Keep-Alive”
);
“Content-Language” = (
en
);
“Content-Length” = (
0
);
Date = (
“Thu, 03 Jan 2019 07:32:47 GMT”
);
Expires = (
0
);
“Keep-Alive” = (
“timeout=315, max=200”
);
Location = (
“{redirect_uri}?code=3-AIN-UcpzYa3SRAacOn&amp;state=staticState”
);
P3P = (
“CP=“HONK””
);
Pragma = (
“no-cache”
);
“Public-Key-Pins-Report-Only” = (
“pin-sha256=“jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc=”; pin-sha256=“axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8=”; pin-sha256=“SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE=”; pin-sha256=“ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw=”; max-age=60; report-uri=“https://okta.report-uri.io/r/default/hpkp/reportOnly””
);
“Referrer-Policy” = (
“no-referrer”
);
Server = (
nginx
);
“Set-Cookie” = (
“JSESSIONID=1CEF91CF00FBF32F8C9689E5151471DC; Path=/; Secure; HttpOnly”,
“t=purple; Path=/”,
“sid=102F6NMOZE7RPqPgokAREnKIQ; Path=/; Secure”,
“proximity_beb48734015c875160c574c2696a4f68=Ej60dXl725NxOJ0C6TgeKyDHKkJMPV4YpgMHAuXzLsKdpa25jeuSBgIgFOwXy5fnoDY3f7BAlTfOtVjAjTuIdf3xsZXAy6NHP9TKbhxZvLa62cYvmQ/X2ARMwV8sJtzwK0CeEwdqanhIwblGYOpcCtRHoqkJqqfWgZnDhqZTwcplCoNNK3FFtVaH53jsqZXY; Expires=Fri, 03-Jan-2020 07:32:47 GMT; Path=/; Secure”
);
“Strict-Transport-Security” = (
“max-age=315360000”
);
“X-Okta-Request-Id” = (
XC26n56CNkxxHLh8fMVtLQAAAbk
);
“X-Rate-Limit-Limit” = (
40
);
“X-Rate-Limit-Remaining” = (
39
);
“X-Rate-Limit-Reset” = (
1546500777
);
“X-Robots-Tag” = (
none
);
} }

Access token request:

$ curl -v
-X POST
-b “JSESSIONID=1CEF91CF00FBF32F8C9689E5151471DC;proximity_beb48734015c875160c574c2696a4f68=Ej60dXl725NxOJ0C6TgeKyDHKkJMPV4YpgMHAuXzLsKdpa25jeuSBgIgFOwXy5fnoDY3f7BAlTfOtVjAjTuIdf3xsZXAy6NHP9TKbhxZvLa62cYvmQ/X2ARMwV8sJtzwK0CeEwdqanhIwblGYOpcCtRHoqkJqqfWgZnDhqZTwcplCoNNK3FFtVaH53jsqZXY;sid=102F6NMOZE7RPqPgokAREnKIQ;t=purple;DT=DI0YLv4MQBGQlusEP4JiLfBCg”
-H “Content-Type: application/x-www-form-urlencoded”
-H “Accept-Language: en;q=1.0”
-H “Set-Cookie: sid=”"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/, JSESSIONID=F731CD24B428B6D2ACD6E807E0F50900; Path=/; Secure; HttpOnly"
-H “User-Agent: AuthenticationSample/1.0 (PB.AuthenticationSample; build:1; iOS 11.4.0) Alamofire/4.8.0”
-H “Accept-Encoding: gzip;q=1.0, compress;q=0.5”
-d “grant_type=authorization_code&client_secret={client_secret}&scope=openid%20offline_access&redirect_uri={redirect_uri}&code=3-AIN-UcpzYa3SRAacOn&client_id={client_id}”
"https://{domain}/oauth2/v1/token"

Response

<NSHTTPURLResponse: 0x608000027d00> { URL: https://{domain}/oauth2/v1/token } { Status Code: 403, Headers {
Connection = (
“Keep-Alive”
);
“Content-Length” = (
0
);
Date = (
“Thu, 03 Jan 2019 07:37:55 GMT”
);
“Keep-Alive” = (
“timeout=315, max=200”
);
P3P = (
“CP=“HONK””
);
“Public-Key-Pins-Report-Only” = (
“pin-sha256=“jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc=”; pin-sha256=“axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8=”; pin-sha256=“SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE=”; pin-sha256=“ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw=”; max-age=60; report-uri=“https://okta.report-uri.io/r/default/hpkp/reportOnly””
);
Server = (
nginx
);
“X-Okta-Request-Id” = (
“XC270yR-OwFvj3AWjXWOgQAAA5E”
);
“X-Rate-Limit-Limit” = (
40
);
“X-Rate-Limit-Remaining” = (
39
);
“X-Rate-Limit-Reset” = (
1546501085
);
} }

I have tried my different things on this but nothing worked.
The same thing is working in Postman, and also for the android developers in my team.
Need urgent help.

Is there any body or error message in the final 403 response?

To do authentication on mobile, you need to avoid sending a client secret and instead use PKCE (an additional code_challenge parameter instead of a client secret). We have a guide that shows you how: Authorization code with PKCE

Also, you don’t have to save the cookies that these endpoints give you, you can ignore them. (I doubt that is the reason why it isn’t working, though)

@nate.barbettini I have tried the whole thing without saving cookies also but it didn’t work.
Just yesterday it worked by merely adding a http request header "Cookie" = "troute=t1".
We found this here. I searched about it but didn’t found any solid information about it.
Do you have any Idea what this headers value means?

I’ve just had the same thing. /token worked fine on Windows and Android but didn’t work on iOS, was receiving a status 403 with no actual response content. Added the “Cookie”=“troute=t1” header and now it works fine.