Unusual oauth2 error -- `redirect_uri_mismatch` on token request

[jkingsman]

When attempting to use the oauth2 flow, I authorize:

https://www.tumblr.com/oauth2/authorize?client_id=<client_id_redacted>&response_type=code&scope=basic&state=<state_redacted>&redirect_uri=<redacted_uri>

My redirect URI is exactly what's in place in my application config for both default callback and oauth2 redirect URLs. That works fine; I get my code and verify my state. Then I attempt a grant (as exemplified in https://www.tumblr.com/docs/en/api/v2#step-three-retrieve-an-access-token):

curl \
    -F grant_type=authorization_code \
    -F code=<code_redacted> \
    -F client_id=<client_id_redacted> \
    -F client_secret=<client_secret_redacted> \
    https://api.tumblr.com/v2/oauth2/token

and then I get

{"error":"redirect_uri_mismatch","error_description":"The redirect URI is missing or do not match","error_uri":"http:\/\/tools.ietf.org\/html\/rfc6749#section-4.1.3"}

I'm really confused by this; the oauth redirect has already happened successfully (so I'm assuming that means Tumblr's happy with my redirect URI), but there's no redirect URI involved with redeeming my token for credentials... right?

Thanks for any help you can offer!

[cyle]

Hello @jkingsman -- this looks like it may be a bug on our side, we'll look into it and get back to you!

[sanmai]

Looking at RFC 6749, section 4.1.3, Access Token Request:.

redirect_uri — REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.

Otherwise put, quoting on the simplified OAuth 2 description:

If the redirect URI was included in the initial authorization request, the service must require it in the token request as well. The redirect URI in the token request must be an exact match of the redirect URI that was used when generating the authorization code. The service must reject the request otherwise.

We'll update the documentation to mention this fact.

Can you confirm you don't have this issue if you omit redirect_uri in your initial authorization request?

[jkingsman]

Thanks for the info! Apologies for not ferreting that out in the RFC 😳 I'm not going to be in front of my keyboard for a few weeks unfortunately; I'll do my best to check when I get back from vacation though! Sorry for the delay.