access_token END POINT gets 400 Bad Request

Highlighted
New Member
2 0 0

Hello,

I am trying the OmniAuth Shopify flow for developing an app for shopify from the instructions given in the links below:

https://shopify.dev/tutorials/build-a-shopify-app-with-ruby-and-sinatra
https://help.shopify.com/en/api/getting-started/authentication/oauth
https://github.com/Shopify/omniauth-shopify-oauth2/

I'm stuck when I make a 'POST' request to retrieve the access token and I am sending all the needed parameters i.e (client_id,client_secret and code) in the request body in json format. But then I am receiving 400 Bad Request. In response it also shows "Oauth error invalid_request: The authorization code was not found or was already used".

Can you please help me with this?

0 Likes
Highlighted
Shopify Staff
Shopify Staff
181 22 29

Hey @dror1 

I believe the OAuth auth code can only be used a single time to retrieve the access token. My guess is that somewhere in your omniauth setup, you are duplicating the call to Shopify and thus getting the error message. 

Kevin_A | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 

0 Likes
Highlighted
New Member
2 0 0

hi, Thank you for your answer.

I am pretty sure it’s not the case. My app is in her very first steps and all I do in it is to get the auth callback (after the user submit his shop name using OmniAuth), validated it and try to obtain the token. 
In additionally I am using httplog to log my outgoing communication and no further calls were made.

Here is my code (all of it):

 

  def auth_callback
    # extract shop data from request parameters
    shop = request.params['shop']
    code = request.params['code']
    hmac = request.params['hmac']

    # perform hmac validation to determine if the request is coming from Shopify
    h = request.params.reject{|k,_| k == 'hmac'}
    query = URI.escape(h.sort.collect{|k,v| "#{k}=#{v}"}.join('&'))
    digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), SHOPIFY_API_SECRET, query)

    if !ActiveSupport::SecurityUtils.secure_compare(digest,hmac)
      return [403, "Authentication failed. Digest provided was: #{digest}"]
    end

    payload = {client_id: SHOPIFY_API_KEY, client_secret: SHOPIFY_API_SECRET, code: code}
    url = "https://#{shop}/admin/oauth/access_token"
    response = HTTParty.post(url, body: payload)

   if response.code == 200
      session = ShopifyAPI::Session.new(shop, response['access_token'])
      ShopifyAPI::Base.activate_session(session)
    else
     # This call always response "400 - Oauth error invalid_request, Oauth error invalid_request: The authorization code was not found or was already used"
      return [500, "Something went wrong."]
    end

    head :ok
  end

 

 

0 Likes