Authentication error ("oauth2: server response missing access_token")

[markkuit]

I'm facing issues authenticating for a simple OverviewOf query. I created the API app in my account ("script" type) and registered it for Reddit API usage, but I cannot seem to get it to authenticate correctly. I'm wondering if it might have to do with MFA.

Here is a snippet to reproduce the issue along with its output:

package main

import (
    "context"
    "fmt"
    "log"

    "github.com/vartanbeno/go-reddit/v2/reddit"
)

const (
    id       = "createdappid"
    secret   = "createdappsecret"
    username = "MarkkuIT"
    password = "birthyear"

    overviewUser = "MarkkuIT"
)

var api *reddit.Client

func init() {
    var err error
    credentials := reddit.Credentials{
        ID:       id,
        Secret:   secret,
        Username: username,
        Password: password,
    }
    api, err = reddit.NewClient(credentials)
    if err != nil {
        log.Fatalf("Error initializing Reddit API: %s\n", err.Error())
    }
}

func main() {
    if posts, comments, _, err := api.User.OverviewOf(context.Background(), overviewUser, nil); err == nil {
        fmt.Printf("posts(%d) comments(%d)\n", len(posts), len(comments))
    } else {
        log.Fatal(err)
    }
}

2021/05/13 12:32:58 Get "https://oauth.reddit.com/user/MarkkuIT/overview": oauth2: server response missing access_token
exit status 1

I doublechecked the credentials and they are indeed correct. What am I missing?

[bocanada]

Try appending your 2FA token to your password like this: "password:token"

[markkuit]

Just tried - both with the token itself and a fresh TOTP, for the sake of it - same error.

[rwese]

I have had the same issue and 2FA was the issue here, it works once I disabled it. With 2FA on it won't work and there is no documentation by reddit, and also no standard which defines this within OAUTH2.

I am aware storing the 2FA secret alongside the password would be risky, as is having no 2FA.

[and3rson]

I have the same issue. 2FA is disabled, tried with ID/secret and ID/secret/username/password - no luck.

Any ideas?

EDIT: My bad, the password was incorrect. Still, isn't it possible to use Reddit API with only ID & secret?

[markkuit]

Could you manage to authenticate with just ID and secret, and no username and password, while still having 2FA enabled?

[and3rson]

@markkuit Nope, no luck with ID/secret only. Still need to provide username & password.

[codecat]

In my case I had forgotten to add my bot account to the list of developers:

[and3rson]

@codecat Did you need to provide username & password in addition to client id & secret to login?

[and3rson]

Update: as per Reddit's OAuth2 docs, they actually do support auth without username/password. Here's an example:

curl -X POST -H 'USer-Agent: My-Application' \
        https://www.reddit.com/api/v1/access_token?device_id=My-Application \
        -u YOUR_CLIENT_ID:YOUR_CLIENT_SECRET --data "grant_type=client_credentials"

However, I didn't see any mention of client_credentials in the sources of go-reddit. @vartanbeno Is this a missing feature?

// EDIT: Basically, what we need is a possibility to include grant_type=client_credentials in the body of OAuth2 request.

// EDIT 2: It seems like Golang's OAuth2 lib does not support custom grant_type. Thus no way to do this without manual hacks.

// EDIT 3: Actually, it does! There's a submodule - https://pkg.go.dev/golang.org/x/oauth2/clientcredentials - which supports exactly what's needed for the "Application Only OAuth". This can be done by editing reddit/reddit-oauth.go and replacing &oauth2.Config with &clientcredentials.Config & using AuthStyleInHeader.The only thing that's needed is to change some code in go-reddit to allow custom oauth configs.

[and3rson]

I've submitted a PR (#21) which will allow us to use Reddit API with client_id & client_secret only, no credentials.