{ "id": "api/oauth2-invalid-grant-authorization-code-expired", "signature": "OAuth2 error: invalid_grant: Authorization code has expired", "signature_zh": "OAuth2 错误:invalid_grant:授权码已过期", "regex": "invalid_grant.*Authorization code has expired|authorization_code_expired", "domain": "api", "category": "auth_error", "subcategory": null, "root_cause": "The authorization code used in the token exchange request was issued more than the allowed lifetime (typically 60-600 seconds) ago.", "root_cause_type": "generic", "root_cause_zh": "令牌交换请求中使用的授权码已超过其允许的生命周期(通常为 60-600 秒)。", "versions": [ { "version": "OAuth 2.0 RFC 6749", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Auth0 2024", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Okta 2023", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Keycloak 22.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The same user session may return the same expired code if the state parameter is reused; the root cause is timing, not the code value.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "Long-lived authorization codes violate OAuth 2.0 security best practices and may be rejected by client libraries; also the server may have a hard upper limit.", "fail_rate": 0.8, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Complete the authorization code exchange within the allowed window (typically 10 minutes). Automate the redirect-to-token flow without manual delays. Use PKCE to ensure the code verifier is fresh per request.", "success_rate": 0.95, "how": "Complete the authorization code exchange within the allowed window (typically 10 minutes). Automate the redirect-to-token flow without manual delays. Use PKCE to ensure the code verifier is fresh per request.", "condition": "", "sources": [] }, { "action": "If using a browser-based flow, ensure the callback endpoint immediately triggers the token exchange without user interaction that could cause delays.", "success_rate": 0.9, "how": "If using a browser-based flow, ensure the callback endpoint immediately triggers the token exchange without user interaction that could cause delays.", "condition": "", "sources": [] } ], "workarounds_zh": [ "在允许的时间窗口内(通常为 10 分钟)完成授权码交换。自动化重定向到令牌的流程,避免手动延迟。使用 PKCE 确保每次请求的 code_verifier 都是新鲜的。", "如果使用基于浏览器的流程,确保回调端点立即触发令牌交换,无需用户交互导致延迟。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2", "official_doc_section": null, "error_code": "invalid_grant", "verification_tier": "ai_generated", "confidence": 0.9, "fix_success_rate": 0.92, "resolvable": "true", "first_seen": "2023-11-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }