Authorization grant type not supported by authorization server

[InsaneSlay]

Currently using the v2 API to attempt to receive an access token. However when following the instructions based on - https://osu.ppy.sh/docs/index.html?javascript#client-credentials-grant (just ported to c#)

I receive the error listed in the title

[peppy]

This is like the 5th time this has come up. I believe it's because you're using post parameters, not JSON in request body. Which by the documentation seems like it should work fine.

If that's the reasoning, is there any reason we don't support post parameters or headers for these requests? If there's a valid reason, it definitely needs to be clearly stated and explained in the docs.

[nanaya]

Passing client secret in query string is generally a bad practice.

[InsaneSlay]

This is like the 5th time this has come up. I believe it's because you're using post parameters, not JSON in request body. Which by the documentation seems like it should work fine.

If that's the reasoning, is there any reason we don't support post parameters or headers for these requests? If there's a valid reason, it definitely needs to be clearly stated and explained in the docs.

ah im an idiot, works fine now. rookie mistake, thanks peppy

[peppy]

@nanaya in the case of a POST can't we differentiate between query string and POST? in this user's case they aren't using the query string.

[nanaya]

not sure what you mean by "differentiate between query string and POST"

Body parameter (as form) is supported.

$ http -v --form post https://on.nanaya.pro/oauth/token grant_type=client_credentials client_id=187 client_secret=x scope='public'
POST /oauth/token HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 72
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: on.nanaya.pro
User-Agent: HTTPie/2.4.0

grant_type=client_credentials&client_id=187&client_secret=x&scope=public

HTTP/1.1 401 Unauthorized
Cache-Control: private, must-revalidate
Connection: keep-alive
Content-Type: application/json
Date: Thu, 14 Oct 2021 05:53:19 GMT
Expires: -1
Pragma: no-cache
Server: nginx/1.21.0
Server-Timing: app; dur=8.0540180206299; desc="Application", db; dur=0.47; desc="Database", timeline-event-0; dur=7.655143737793; desc="Controller"
Set-Cookie: x-clockwork=%7B%22requestId%22%3A%221634190799-5754-1245013499%22%2C%22version%22%3A%225.1.0%22%2C%22path%22%3A%22%5C%2F__clockwork%5C%2F%22%2C%22webPath%22%3A%22clockwork%5C%2Fapp%22%2C%22token%22%3A%22b485d936%22%2C%22metrics%22%3Atrue%2C%22toolbar%22%3Atrue%7D; expires=Thu, 14-Oct-2021 05:54:19 GMT; path=/; samesite=lax
Transfer-Encoding: chunked
X-Clockwork-Id: 1634190799-5754-1245013499
X-Clockwork-Version: 5.1.0
X-Ratelimit-Limit: 60
X-Ratelimit-Remaining: 59

{
    "error": "invalid_client",
    "error_description": "Client authentication failed",
    "message": "Client authentication failed"
}

[peppy]

Ah, no worries then. I misread that the user's using a different c# class here which handles the AddParameter call differently. The one we use automatically puts in POST body where the request type is a POST.

[nanaya]

I'll update the docs to make it clearer as well.