During "Access Token Request", "code" obtained from "Authorization Request" immediately expires and returns status 400 with message: {"error":"invalid_grant","error_description":"The authorization code has expired"}

[cube-dan]

I'm working through the instructions to obtain a TSheets OAuth2 token.

After successfully obtaining a code from an *authorization request (Step 1. Authorization Request) I'm redirected to the correct redirect_uri with the code (and state) param appended from the TSheets server.

After immediately (within 30 seconds) using the returned code value, for example S.19__10c14c11360ee25cae2826fdf21de49c38df9345 in a cURL request to request an Access Token (Step 2. Access Token Request) I get an access denied message:

 {"error":"invalid_grant","error_description":"The authorization code has expired"}

Here's an example of the cURL request that is returning the 400:

curl -i -X POST https://rest.tsheets.com/api/v1/grant -d 'grant_type=authorization_code&client_id=**MY_KEY_VALUE**&client_secret=**MY_APP_SECRET_VALUE**&code=S.19__10c14c11360ee25cae2826fdf21de49c38df9345&redirect_uri=https%3A%2F%2Fdomain.com%2Fcallback%2Fpath%2Fhere'

Here's the cURL output:

HTTP/1.1 400 Bad Request
Date: Thu, 20 Oct 2022 03:20:57 GMT
Content-Type: application/json
Content-Length: 82
Server: Apache
Strict-Transport-Security: max-age=300; includeSubDomains
Cache-Control: private, must-revalidate
 
{"error":"invalid_grant","error_description":"The authorization code has expired"}

Am I missing something or is this a bug?

*My authorization request follows these instructions:

"This first step consists of a user authorizing your application to access their information on TSheets. To do this, you'll create a link somewhere on your site that they can use to initiate the process. The link will contain several parameters that are necessary for TSheets to consider it valid. The user should use a web browser to follow the link and perform the authorization request."

[adamc112]

Hi @cube-dan, I’m from the TSheets team. Thank you for trying out our API! We’ve been looking into this; we’re not able to reproduce the issue unfortunately. It looks like you’re taking the right steps (calling /authorize, passing the returned code into /grant). Can you give it another shot and let us know what happens? Please be sure to call /grant immediately after obtaining the code. Also be sure to capture timestamps if possible (time at which you called /authorize, and also /grant) as that may help us in our debugging.

[cube-dan]

AdamC,

Thanks for taking a look. As I stated at the open I'm calling /grant immediately (within 30 sec) however I can see how having timestamps for my requests would help you debug this issue. I'll give it another try and let you know what I find in this thread, this time including the unix time when called /authorize, and the followup call to /grant

As a workaround I've had the client add an access token that expires ≈10 years from now. This works to allow the app to make tsheets API requests, without refreshing the access token, but I shouldn’t have to do this.

To help you get this debugged on your end, is there anything I can pass along with my requests, a perhaps header or extra url argument, that would help you to identify my requests in the ocean of requests that you guys would have to sort through if you tried to identify mine?

Oh ... one more thing. The requests above were made with keys from a TSheets 30 day trial account → using the toggle switch:

on this page: https://quickbooks.intuit.com/time-tracking/pricing/

Would that have caused all authorization requests to come back as 400's?

-Dan

[adamc112]

Hi @cube-dan, thanks for confirming. We appreciate your patience. Totally agree that you shouldn't have to perform the workaround:

This works to allow the app to make tsheets API requests, without refreshing the access token, but I shouldn’t have to do this.

The toggle switch shouldn't affect the OAuth flow:

Oh ... one more thing. The requests above were made with keys from a TSheets 30 day trial account → using the toggle switch:

Can you confirm the company name on the QuickBooks Time (formerly TSheets) account? You can find the company name via the Company Settings UI. The company name in conjunction with the unix timestamps should be enough for us to track the requests (no need to send special headers, etc).