VK Oauth: Security Error

Question

I'm trying to authorize my standalone application. But after I click "Allow" it always redirects to http://oauth.vk.com/error?err=2 and gives this as response body:

{"error":"invalid_request", "error_description":"Security Error"}

Here's the request URL (I do have correct client_id):

https://oauth.vk.com/authorize?client_id=...&scope=messages,offline&redirect_uri=https://oauth.vk.com/blank.html&display=page&v=5.37&response_type=token

It seems that I've tried everything:

Turning application on and off
Passing scope as bit mask
URI encoding some parameters to have correct URL
and so on

score 17 · Accepted Answer · answered Sep 13 '15 at 21:51

17

After hour of searches I've found this.

So, it means that user has an old session and must re-login in browser.

answered Sep 13 '15 at 21:51

sigod

3,514
2
21
44

2

Thanks mate I was sooo frustrated :) – Dewan Md Razib May 06 '17 at 11:29
Thank you, that for about a year, I did not relogin, and never see this error. I never thought that it's helped. – Atterratio May 07 '18 at 02:42

score 0 · Answer 2 · edited Oct 07 '21 at 11:21

Space in state parameter causes this.

OAuth 2 RFC, sections 4.1.1 on authorization request and 4.1.2 on authorization response, recommends using state parameter to maintain state in authorization code flow, particularly to prevent CSRF.

When I set this field to CSRFTOKEN123 http://my.site/next/url, I got this error. Replacing (space) with : to get CSRFTOKEN123:http://my.site/next/url helps.

By the way, I couldn't find any mention of state parameter on VK documentation website but VK OAuth 2 authorization system actually supports it. It couldn't be called OAuth 2 otherwise. So I find it legit to use state parameter.

The topic https://vk.com/topic-17680044_30635058 mentioned by author is closed now, current discussion is https://vk.com/topic-1_24428376. There are number of questions on this. All in Russian.

VK Oauth: Security Error

2 Answers2