Oauth throws "invalid_grant: user hasn't approved this consumer" randomly for Community Login profile

Question

I have an OAuth JWT Bearer token flow set up like this:

Admin approved users are pre-authorized
all profiles added to approved list
Relax IP restrictions
api, refresh_token/offline_access oauth scopes defined

It works fine for System Administrator, but fails randomly for Customer Community Login license user with: invalid_grant "user hasn't approved this consumer". Then it works, and after 5 minutes fails again.

It doesn't seem like I hit the login limit (from Setup -> Company Information related list: Customer Community Logins: Allowance 10,000 Amount Used :4,661 5/16/2019 7:59 PM)

There are a few similar questions out there but I still could not find the answer.

Bart Juriewicz · Accepted Answer · 2019-07-31T15:01:37.060

The answer was the audience oauth parameter for community users must be community url, instead of test.salesforce.com on sandbox. According to docs:

The audience (aud) identifies the authorization server as an intended audience. Use the authorization server’s URL for the audience value: https://login.salesforce.com, https://test.salesforce.com, or https://community.force.com/customers if implementing for a community.

It was a bit misleading because using test.salesforce.com failed only sometimes.

Oauth throws "invalid_grant: user hasn't approved this consumer" randomly for Community Login profile

1 Answers1

Linked