API authentication help


I’m working on a browser extension that allows one-click addition of specific observation field values. I’ve got it working locally using the resource owner password credentials authentication flow to get a token for the API. I don’t want to use that in the production version because the code includes my personal iNat login info. I am trying to replace it with the PKCE flow, and I think I have the request generated correctly but it is rejecting my request. I have also been able to authenticate using the Authorization code flow in R, but that requires my app secret and I don’t want to include that in the extension either. Can someone take a look at what I’m doing and help me figure out why the PKCE request is being rejected?

The code I am using in this aspect should all be available here: https://github.com/Megachile/authtest

Note that to test it, you will need to load any page that begins with the URL https://www.inaturalist.org/observations/identify This will prompt the extension to open the page where it gets the code it uses in the authentication step. The majority of the relevant code runs in background.js so be sure to check the background (service worker) console output to see what is happening.


1 Like

if you’re going to use the PKCE flow, i think your app – this one, i suppose: https://www.inaturalist.org/oauth/applications/824 – should be set as confidential = false


That was definitely something I needed to do and it has changed the behavior I get (it redirects to a permission site before it goes to the code site) but the actual API token request still fails.

Error: Response not OK: 400 Bad Request. Body: {"error":"invalid_grant","error_description":
"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
1 Like

i guess you should check to see if the URL associated with your app definition is the page that you plan to use to get your token?

1 Like

the redirect URL is the same if that’s what you mean

1 Like

Currently thinking there must be something wrong with the way I am encoding it; I just let GPT4 write all of that and I’m trying to verify that the code actually works now.

1 Like

Found the issue–I had somehow applied the Base-64 hashing step twice, which of course made it unrecognizable to the API. Everything works now–thanks for your help as always!