I’m working on a browser extension that allows one-click addition of specific observation field values. I’ve got it working locally using the resource owner password credentials authentication flow to get a token for the API. I don’t want to use that in the production version because the code includes my personal iNat login info. I am trying to replace it with the PKCE flow, and I think I have the request generated correctly but it is rejecting my request. I have also been able to authenticate using the Authorization code flow in R, but that requires my app secret and I don’t want to include that in the extension either. Can someone take a look at what I’m doing and help me figure out why the PKCE request is being rejected?
Note that to test it, you will need to load any page that begins with the URL https://www.inaturalist.org/observations/identify This will prompt the extension to open the page where it gets the code it uses in the authentication step. The majority of the relevant code runs in background.js so be sure to check the background (service worker) console output to see what is happening.
That was definitely something I needed to do and it has changed the behavior I get (it redirects to a permission site before it goes to the code site) but the actual API token request still fails.
Error: Response not OK: 400 Bad Request. Body: {"error":"invalid_grant","error_description":
"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
Currently thinking there must be something wrong with the way I am encoding it; I just let GPT4 write all of that and I’m trying to verify that the code actually works now.
Found the issue–I had somehow applied the Base-64 hashing step twice, which of course made it unrecognizable to the API. Everything works now–thanks for your help as always!