5

Following the OAuth2 login flow described at https://github.com/reddit/reddit/wiki/OAuth2 I got to the point where POST-ing to https://www.reddit.com/api/v1/access_token returns something like this:

{'token_type': 'bearer', 'expires_in': 3600, 'scope': 'identity', 'access_token': '*****'}

Then I do

GET  https://oauth.reddit.com/api/v1/me

With this header:

Authorization: bearer *****

The response is HTTP 403 Unauthorized. But why? It is clear that the access token has 'identity' scope. It is also documented that the /api/v1/me call requires this scope only. (See https://www.reddit.com/dev/api/oauth#GET_api_v1_me )

So why am I getting http 403?

nagylzs
  • 3,954
  • 6
  • 39
  • 70
  • The format of the header is important `Authorization: Bearer ` – castis Feb 02 '17 at 17:54
  • Okay, sorry. Actually I have set it with a dict in Python. It does contain the colon. I'll fix the queston. BTW the docs specify it with all small letters ("bearer" instead of "Bearer"), see at the end of https://github.com/reddit/reddit/wiki/OAuth2#retrieving-the-access-token – nagylzs Feb 02 '17 at 18:20
  • Hmm now it started to return 403 forbidden. Maybe it was returning that before too? I'm not sure. – nagylzs Feb 02 '17 at 18:26
  • @nagylzs Have you solved this ? – Wolf359 Apr 18 '17 at 08:20
  • Yes, I have. But cannot tell what was wrong. I have changed many things in my code and eventually it started to work. – nagylzs Apr 18 '17 at 14:31

2 Answers2

5

I was experiencing the exact same issue as you described. In my case, I resolved the 403 by adding a faux user agent string in the request headers.

In my case, using HttpClient of C#, this proceeds like so:

using (var client = new HttpClient())
{
    client.DefaultRequestHeaders.Add("User-Agent", "MockClient/0.1 by Me");
    ...
}
ne1410s
  • 6,864
  • 6
  • 55
  • 61
  • 2
    This was the solution to my problem! Had been working with Postman but not my own script, I suppose because postman automatically fills in the User-Agent header. – Dylan Landry Jul 25 '18 at 01:26
  • Just here to say the user agent string is crucial. I was using a string as recommended by reddit "os:app:version (by username)" but was still getting rejected. It seems for some reason my agent string was blacklisted despite having just begun using it. By changing it slightly where the app name was app-name-with-space-sparators+" agent" suffix it got past the 403 and started working. – John-Paul Robinson Nov 06 '19 at 17:16
2

In my case this was because of a redirect.

Calling a non-oauth endpoint in my application (like https://www.reddit.com/r/learnpython/about.json) with the Authorization header would fail with code 403. But calling https://reddit.com/r/learnpython/about.json (without www) with the Authorization header succeeded. However both endpoints worked when I tried via Postman.

The reason for this is that reddit.com would redirect to www.reddit.com, which results in the Authorization header being dropped by Postman for the second request. In my application code, I was including the header with both requests, which explains the different behavior.

Solution: don't include the Authorization header when calling non-oauth endpoints.

Filippo Orrù
  • 195
  • 3
  • 8