[Elixir] Token verification

Hi, i am creating a personal tool that uses ESI. The UI is in react, so i am using the implicit flow approach. When i obtain the code, i try to verify it but i obtain a

Response: %HTTPoison.Response{
  body: "{\"error\":\"invalid_request\",\"error_description\":\"Unknown grant_type .\"}",
  headers: [
    {"Cache-Control", "no-cache"},
    {"Pragma", "no-cache"},
    {"Content-Type", "application/json; charset=utf-8"},
    {"Expires", "-1"},
    {"Server", "Microsoft-IIS/10.0"},
     "default-src 'self'; img-src 'self' data: *.facebook.com image.eveonline.com web.ccpgamescdn.com; font-src 'self' web.ccpgamescdn.com fonts.gstatic.com; style-src 'self' 'unsafe-inline' web.ccpgamescdn.com hello.myfonts.net; script-src 'self' 'XXXX' connect.facebook.net az416426.vo.msecnd.net; connect-src dc.services.visualstudio.com; frame-ancestors launcher.testeveonline.com launcher.eveonline.com; frame-src connect.facebook.net www.facebook.com; report-uri https://ccpgames.report-uri.com/r/t/csp/enforce"},
    {"Date", "Mon, 29 Apr 2019 05:36:10 GMT"},
    {"Content-Length", "70"}
  request: %HTTPoison.Request{
    body: "{\"code\":\"XXXXXX\",\"grant_type\":\"authorization_code\"}",
    headers: [
       "Basic XXXXX"},
      {"Content-Type", "application/x-www-form-urlencoded"},
      {"Host", "login.eveonline.com"}
    method: :post,
    options: [],
    params: %{},
    url: "https://login.eveonline.com/oauth/token"
  request_url: "https://login.eveonline.com/oauth/token",
  status_code: 400

Apparently the call is well forged, but i am having 400, unknown grant_type, which clearly tells me the opposite. What am i doing wrong ? HTTPoison use ?


Well for one it looks like you’re setting your content type to form-urlencoded yet sending a JSON body?

Also if you switch to the v2 OAuth endpoints, you could validate your token locally using a JWT lib.

Please, note that sending the auth as a json body is not part of the official OAuth2 specs, so, it may be removed in the future, so, you’re better off using headers, as that is the standard approach; See documentation for how to do that with v1 or v2

I am passing proper Content-Type header, but effectively looks like the payload is being encoded in json …