The authorization code is invalid or has expired

Questions API
1

I get the below error back many times per day when users post to /token. Does anyone know what can cause an auth code to become invalid or expired? Considering the auth code is typically immediately used to grab a token, what situation would allow it to expire?

{“error”:“invalid_grant”,“error_description”:“The authorization code is invalid or has expired.”}

2

One thought comes to mind. If you double submit the code, it will be expired / invalid because it is already used.

You can check Okta’s logs to see a pattern that a user is granted a token and then there is a failed.

When you are looking at the log, if you click on the code target (the one that isn’t in parentheses) you can see other requests using the same code.

tom-okta_-_Developer_Console
tom-okta_-_Developer_Console.png1069×545 52.5 KB

Hope this helps! Let me know if this was the issue.

3

@tom
I am getting the same error while executing below Okta API in SOAP UI https://dev-451813.oktapreview.com/oauth2/default/v1/token?grant_type=authorization_code
with below header parameters
content-Type-application/x-www-form-urlencoded
Authorization-Basic MG9hZG5lcDhyelJwcGI4WGUwaDc6bHNnLWhjYkh1eVA3VngtSDFhYmR0WC0ydDE2N1YwYXA3dGpFVW92MA==
Accept-application/json

Error getting is {“error”:“invalid_grant”,“error_description”:“The authorization code is invalid or has expired.”}

4

Are you actually passing the code?

https://developer.okta.com/docs/api/resources/oidc#token

5

Could you resolve this issue?I am facing the same error.Also ,I do not see any logs on the developer portal.So theses codes are defintely not used once.

6

Hi @snsinha

Can you please open a support case with us at developers@okta.com in order to have one of our Developer Support Engineers further assist you?

7

I get the same error intermittently. I could track it down though. if authorization code has backslash symbol in it, okta api call to token throws this error. If not, it returns tokens. I get authorization token with response_type=okta_form_post. I have verified this is only happening if I use okta_form_post, other response types seems to be working fine. Do you aware of this issue?

I’m using okta postman authorization collection to get the token with “Get ID Token with Code and PKCE”

8

If you are having a response that says “The authorization code is invalid or has expired” than there are two possibilities.

  1. You or the service you are using that hit v1/token endpoint is taking too long to call the token endpoint. The expiry time for the code is very minimum.
  2. The code that you are receiving has backslashes in it.

Solution for Point 1: Don’t take too long to call the end point. suppose you are using postman to and you got the code from v1/authorize endpoint. copy it quickly, paste it in the v1/token endpoint and call it. code expiration time is 30 to 60 sec.

Solution for Point 2: if you are receiving code that has backslashes in it then you must be using “response_mode = okta_post_message” in v1/authorize call. try to use “response_mode=form_post”. It will minimize the possibiliy of backslash occurence, for safety pusposes you can use do while loop in the code where you are trying to hit authorization endpoint so in case you receive backslash in code. it can again hit the end point to retrieve code.

Hope It solves further confusions regarding invalid code.
Thanks
Regards
Hasnain Haider

9

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.