Discord Oauth2 receiving 'invalid client' error

Question

I had Discord Oauth2 implemented so that my users could log into my website by authenticating through Discord. For months, everything worked great and now all of the sudden it stopped working.

Per Discord's oauth2 instructions,https://discordapp.com/developers/docs/topics/oauth2#shared-resources, I am able to successfully acquire the access code that is meant to be traded for the access token. However, when I try to receive the access token I receive an 'invalid_client' error.

First, I am hitting this endpoint:

https://discordapp.com/api/oauth2/authorize?client_id=${process.env.CLIENT_ID}&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Flogin%2Fdiscord%2Fcallback&response_type=code&scope=identify%20email%20gdm.join

which successfully returns the following:

http://localhost:5000/login/discord/callback?code={some_access_code}

The access code is then sent back to discord to obtain the access token. Here is the code that is failing:

export function getDiscordAccessToken(accessCode, call) {
  const redirect = call === 'login' ? process.env.DISCORD_LOGIN_REDIRECT : process.env.DISCORD_CONNECT_REDIRECT


  return new Promise((resolve, reject) => {

    axios
      .post(
        `https://discordapp.com/api/oauth2/token?client_id=${process.env.DISCORD_CLIENTID}&client_secret=${process.env.DISCORD_SECRET}&grant_type=authorization_code&code=${accessCode}&redirect_uri=${redirect}&scope=identify%20email%20gdm.join`
    )
      .then(res => {
        resolve(res.data)
      })
      .catch(err => {
        // log error to db
        console.log("Here is your error: ", err.response)
        reject(err.response)
      })
  })
}

This code was working for months with no problems. Then, all of the sudden it stopped working. I even checked the Discord change logs which can be found here, https://discordapp.com/developers/docs/change-log, but I found no reference to authentication changes.

Any help you can provide is greatly appreciated!

Answer 1

The query parameters should be in the BODY of the POST request, not the URL for the oauth/token url.

Discord recently pushed a update to the oAuth2 which makes it confine more with the standard. This means they no longer support parameters in the URL for POST, but instead require them to be in the body and form encoded (basically the same, but in the body and without the leading ?).

So you basically need (not tested):

 axios.post(
        `https://discordapp.com/api/oauth2/token`,       
        `client_id=${process.env.DISCORD_CLIENTID}&client_secret=${process.env.DISCORD_SECRET}&grant_type=client_credentials&code=${accessCode}&redirect_uri=${redirect}&scope=identify%20email%20gdm.join`
       )