Description
This is from feedback from Ghotit, found in ZD here: https://hypothesis.zendesk.com/agent/tickets/5816
https://h.readthedocs.io/en/latest/api/using-oauth/#implementing-oauth-flow
In paragraph 2:
After the user authorizes the application, it will receive an authorization code via a call to the redirect URI. The application must exchange this code for an access token by making a request to the POST /api/token endpoint as described in 4.1.3 Access Token Request.
POST /api/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
client_id=631206c8-7792-11e7-90b3-872e79925778&code=V1bjcvKDivRUc6Sg1jhEc8ckDwyLNG&grant_type=authorization_code
However, according to the RFC, if the first request (4.1.1 Authorization Request.) contains redirection URL, the second request as a MUST to contain the same redirection URL
To conclude:
Add to the above example the redirection URL, namely:
redirect_uri=https%3A%2F%2Fmyapp.com%2Fauthorize&
Finally, it should be:
client_id=631206c8-7792-11e7-90b3-872e79925778&code=V1bjcvKDivRUc6Sg1jhEc8ckDwyLNG&redirect_uri=https%3A%2F%2Fmyapp.com%2Fauthorize&grant_type=authorization_code