From 6295bb34f9b5d3cc84e23b520e2a51fa427bbca6 Mon Sep 17 00:00:00 2001 From: Emelia Smith Date: Mon, 10 Mar 2025 10:18:51 +0100 Subject: [PATCH] Fix invalid scope parameter on authorization code token request (#1608) --- content/en/client/authorized.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/en/client/authorized.md b/content/en/client/authorized.md index 5e2a9d2..91063ff 100644 --- a/content/en/client/authorized.md +++ b/content/en/client/authorized.md @@ -55,24 +55,25 @@ Now that we have an authorization `code`, let's obtain an access token that will ```bash curl -X POST \ + -F 'grant_type=authorization_code' \ -F 'client_id=your_client_id_here' \ -F 'client_secret=your_client_secret_here' \ -F 'redirect_uri=urn:ietf:wg:oauth:2.0:oob' \ - -F 'grant_type=authorization_code' \ -F 'code=user_authzcode_here' \ - -F 'scope=read write push' \ https://mastodon.example/oauth/token ``` Note the following: +- We are requesting a `grant_type` of `authorization_code` - `client_id` and `client_secret` were provided in the response text when you registered your application. - `redirect_uri` must be one of the URIs defined when registering the application. -- We are requesting a `grant_type` of `authorization_code`, which still defaults to giving us the `read` scope. However, while authorizing our user, we requested a certain `scope` -- pass the exact same value here. - The `code` can only be used once. If you need to obtain a new token, you will need to have the user authorize again by repeating the above [Authorize the user]({{< relref "client/authorized#authorize-the-user" >}}) step. The response of this method is a [Token]({{< relref "entities/token" >}}) entity. We will need the `access_token` value. Once you have the access token, save it in your local cache. +The `scope` of resulting Access Token will be the scopes approved during the [Authorization Request]({{< relref "client/authorized#login" >}}) + {{< hint style="warning" >}} Treat the `access_token` as if it were a password. We recommend you encrypt this value when storing in your cache, to prevent accidental credential exposure. {{< /hint >}}