Bug Reporting Template
When submitting a bug report, please be sure to include the fields below. Never share any personal data or email details publicly. An admin may reach out via direct message to get more details from you regarding the issue.
- Org name: Apideck
- Detailed description of the issue and where it occurs:
We’re facing an issue to refresh tokens. We’re always getting this error back:
{
"errors": [
{
"message": "redirect_uri must be shorter than or equal to 256 characters"
}
]
}
Here’s a sample request
curl --location 'https://demo.deel.com/oauth2/tokens' \
--header 'Authorization: Basic <base64-client-id-and-secret>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=<the-refresh-token>' \
--data-urlencode 'client_id=<client-id> \
--data-urlencode 'client_secret=<client-secret>\'''
Our redirect URL is way smaller than 256 (about 90 chars) and the error started without any apparent change on our side.
Any ideas?
Hi @geiserapideck,
May I ask how you are calling https://demo.deel.com/oauth2/tokens?
If you can, can you try using Postman to see if it works? We have seen instances of libraries that wraps the API call and modify the value passed causing the issue.
We’re having the exact same issue.
Same error message being returned from Deel ("redirect_uri must be shorter than or equal to 256 characters"), same context (grant_type=refresh_token with a previously working refresh_token provided), and same unactionable state on our end (our redirect URI is far shorter than 256 characters — only 48).
However, ours are production requests (POSTs to https://app.deel.com/oauth2/tokens, not demo.deel.com like the original report).
Like the original report, we also haven’t changed anything in our implementation, and it was working perfectly for ages.
@tjschuck can you please try the request using postman or curl ?
As @guilherme_deel mentioned previously, certain libraries can cause this issue.
I am using curl, but I figured this out on my own. Deel has apparently made a breaking change to their API recently causing previously successful calls to now fail.
Sanitized example command here:
curl 'https://app.deel.com/oauth2/tokens' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic [redacted]' \
--data 'grant_type=refresh_token&refresh_token=[redacted]'
{"errors":[{"message":"redirect_uri must be shorter than or equal to 256 characters"}]}
Again, this error message is being returned by Deel, not any client library, so the blame cast at client libraries feels misdirected.
The actual issue is that redirect_uri is now a required param to the call to /oauth2/tokens. Deel is returning a misleading error that says redirect_uri must be shorter than or equal to 256 characters, but what they really mean is “redirect_uri is (now) a required parameter”.
For any other people who come across this issue, you must now add a redirect_uri param to your request, even though it’s already specified on your application configuration and that value was previously used. Adding your redirect_url to the payload will successfully refresh the token.
1 Like