POST to /oauth2/token/ returns 401

[thomasthiriez]

Title: POST to /oauth2/token/ returns 401

Issue found of: April 3rd, 2023

Endpoint(s):

• POST /oauth2/token/

Scope(s):

Steps to reproduce:

My iOS app uses an NSURLRequest to perform the request. If I use curl to do the exact same request, it works fine. I have intercepted the requests made by both methods and they are identical. I don't understand what is causing the NSURLRequest one to fail. The curl command look like this:

curl -v -X POST "https://api.soundcloud.com/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "client_id=xxx" \
  -d "client_secret=xxx" \
  -d "redirect_uri=twistedwave://oauth2" \
  -d "code=xxx"

Expected behaviour:

The request should return an access token and refresh token to be used for subsequent requests.

Actual behaviour:

The request returns a status code of 401

The body of the response contains this:

{"code":401,"message":"A request must contain the Authorization header. For details please refer to https://developers.soundcloud.com/blog/security-updates-api.","link":"https://developers.soundcloud.com/docs/api/explorer/open-api","status":"401 - Unauthorized","errors":[{"error_message":"A request must contain the Authorization header. For details please refer to https://developers.soundcloud.com/blog/security-updates-api."}],"error":null}

I am using the /oauth2/token/ endpoint to get an access token. I don't have an access token yet. Why am I therefore asked for an authorization header? Why would that endpoint return that kind of error?

[thomasthiriez]

Ah, I found the problem!

In my NSURLRequest code, I was using the https://api.soundcloud.com/oauth2/token/ endpoint, with a / at the end. It used to work, but SoundCloud now returns the 401 error code when it is used with the /. Removing it fixed the problem.