ESI Token Authentication 401 Error


Apologies if this has been answered before, but I have not been able to find the answer. Anyhoo, I am working on a C# desktop ESI project and I am struggling to get the authentication token, I always get a 401 error. I have copied the params out to postman also from the console app with same result, so it must be something in my understanding which is lacking. I have the SSO section down and have the auth-code to send for the token.

Here is my implementation of the token request in C#:

I cant post more than one upload, so if need to see code verifier implementation or base 64 encoder I can include in later posts.

Hopefully its just a simple code error that I am blind too but any help from the community would be awesome! :smiley:

Many thank in advance!

Try removing your Authentication header. It’s not needed for this flow, and isn’t correct either since it’s missing the token.

EDIT: For reference: OAuth 2.0 for Mobile or Desktop Applications | esi-docs.

Thank you for the reply. I have been trying a few things since I posted, including looking at some of the C# wrappers out there.

I have refactored my token request (per the screenshot below) and now I am receiving a 400 bad request - grant type {authorization_code} is not supported. I have a feeling this is something to do with either poorly formatted body or something not encoding right.

I added the “Basic [clientid:clientsecret]” to the authentication header and if I remove it, it goes right back to 401 unauthorised errors.

Starting to pull my hair out at this point :smiley:

Still should just remove it, it’s not a part of this flow because you can’t safely include your client secret within the desktop app, hence why you’re using the PKCE flow.

And just to be sure, have you read thru OAuth 2.0 for Mobile or Desktop Applications | esi-docs and are following those steps? It’s not going to work if you’re mixing two flows. E.g. try dumping out the URLs/bodies you’re generating and confirming they look like the examples in the doc.

Specifically make sure you are including code_challenge_method in the /oauth/authorize URL and that your base64 encoded bytes includes padding.

I have been reading through the flows and I have got the Authentication piece down ok, I can retrieve a code no issue from SSO. I have the $code_challenge_method=S256 section in the authentication URL also.

I believe this must be something to do with how I am creating the code challenge, or perhaps the code verifier.
Here is the challenge implementation

Here is the verifier implementation

and here is the latest iteration of the token request, I removed an addition & from the start of the body string and removed the auth header, I still get 401’s every time though.

Ah ha!

It is now working, looks like the additional “{” I was placing in the body was the culprit, will teach me to lift code from libraries and instead just figure it out on my own lol!!!.

Thank you for all the help though!

1 Like

The lesson here should be to use a library. Instead of “lifting” code or doing it yourself :wink:
And I say that as someone who did it myself, and now have to maintain that code too…

You could use C# string interpolation to make the strings more readable than using Concat, since it’s not big string being iterated over performance isn’t an issue but adds more readability.

Also you can use LINQ to select a random string out rather than loop over the characters, again for readability, alternatively use a password generator API in .Net 6+ that can do it in one call (the old .Net Framework had one).

Also note Random is not cryptographically secure. Take a look at RandomNumberGenerator.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.