Authorization Code Grant Flow Error Messages in the Login Audit Trail

The following table lists errors that are visible in the Detail column of the Login Audit Trail Results.

Problem

Authorization Code Grant Flow Step One

Authorization Code Grant Flow Step Two

Resolution

The integration application has empty scope or the scope in the token does not match the scope in the integration record.

ScopeMismatched

ScopeMismatched

Ensure that either the RESTlets or REST Web Services box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.

The integration application does not use OAuth 2.0.

AuthorizationCodeGrantRequired

AuthorizationCodeGrantRequired

Ensure that the Authorization Code Grant box is checked in the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.

Role or entity is inactive.

EntityOrRoleDisabled

Verify that the entity or role is active in the account.

The value of the state parameter is invalid.

InvalidState

Ensure that the value of the state parameter:

  • is 22 to 1024 characters long

  • consists of printable ASCII characters

Client ID or client secret is invalid.

UnknownIntegration

ClientAuthenticationFailed

Ensure that you use the correct values of the client ID and client secret for the corresponding integration record.

The value of the redirect URI parameter is invalid.

InvalidRedirectURI

Ensure that the redirect URI is a valid URL. for more information, see Create Integration Records for Applications to Use OAuth 2.0.

The response type is invalid.

UnsupportedResponseType

The response type used is not valid for this step of the authorization code grant flow. For more information, see Step One GET Request to the Authorization Endpoint.

The user clicked Deny/Back on the consent screen.

AuthorizationExplicitlyDenied

Start the OAuth 2.0 authorization code grant flow again and click Allow/Continue on the consent screen.

The value of the grant type parameter is either invalid or wrong.

InvalidGrantType

Ensure that the grant type value used is the correct one in the corresponding step of the authorization code grant flow. For more information, see OAuth 2.0 Authorization Code Grant Flow.

The OAuth 2.0 feature is not enabled in the account.

FeatureDisabled

FeatureDisabled

See Enable the OAuth 2.0 Feature.

The integration record is blocked.

IntegrationBlocked

IntegrationBlocked

Ensure that the value of the State field is set to Enabled on the corresponding integration record. For more information, see Create Integration Records for Applications to Use OAuth 2.0.

Parameters for the Proof Key for Code Exchange (PKCE) are missing or malformed

InvalidRequest

If you use PKCE in OAuth 2.0, make sure you configured the parameters correctly. For more information, see Step One GET Request to the Authorization Endpoint.

The code_verifier parameter in Step Two does not match the code_verifier parameter in Step One.

InvalidGrant

If you use PKCE in OAuth 2.0, make sure you configured the parameters correctly. For more information, see Step One GET Request to the Authorization Endpoint, and Step Two POST Request to the Token Endpoint.

Related Topics

OAuth 2.0
OAuth 2.0 Tasks for Administrators
OAuth 2.0 for Integration Application Developers
Troubleshooting OAuth 2.0
OAuth 2.0 and the Login Audit Trail

General Notices