invalid_grant
api
auth_error
ai_generated
true
OAuth2 error: invalid_grant: Authorization code has expired
ID: api/oauth2-invalid-grant-authorization-code-expired
92%Fix Rate
90%Confidence
1Evidence
2023-11-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| OAuth 2.0 RFC 6749 | active | — | — | — |
| Auth0 2024 | active | — | — | — |
| Okta 2023 | active | — | — | — |
| Keycloak 22.0 | active | — | — | — |
Root Cause
The authorization code used in the token exchange request was issued more than the allowed lifetime (typically 60-600 seconds) ago.
generic中文
令牌交换请求中使用的授权码已超过其允许的生命周期(通常为 60-600 秒)。
Official Documentation
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2Workarounds
-
95% success Complete the authorization code exchange within the allowed window (typically 10 minutes). Automate the redirect-to-token flow without manual delays. Use PKCE to ensure the code verifier is fresh per request.
Complete the authorization code exchange within the allowed window (typically 10 minutes). Automate the redirect-to-token flow without manual delays. Use PKCE to ensure the code verifier is fresh per request.
-
90% success If using a browser-based flow, ensure the callback endpoint immediately triggers the token exchange without user interaction that could cause delays.
If using a browser-based flow, ensure the callback endpoint immediately triggers the token exchange without user interaction that could cause delays.
中文步骤
在允许的时间窗口内(通常为 10 分钟)完成授权码交换。自动化重定向到令牌的流程,避免手动延迟。使用 PKCE 确保每次请求的 code_verifier 都是新鲜的。
如果使用基于浏览器的流程,确保回调端点立即触发令牌交换,无需用户交互导致延迟。
Dead Ends
Common approaches that don't work:
-
70% fail
The same user session may return the same expired code if the state parameter is reused; the root cause is timing, not the code value.
-
80% fail
Long-lived authorization codes violate OAuth 2.0 security best practices and may be rejected by client libraries; also the server may have a hard upper limit.