5

Following the OAuth2 login flow described at https://github.com/reddit/reddit/wiki/OAuth2 I got to the point where POST-ing to https://www.reddit.com/api/v1/access_token returns something like this:

{'token_type': 'bearer', 'expires_in': 3600, 'scope': 'identity', 'access_token': '*****'}

Then I do

GET  https://oauth.reddit.com/api/v1/me

With this header:

Authorization: bearer *****

The response is HTTP 403 Unauthorized. But why? It is clear that the access token has 'identity' scope. It is also documented that the /api/v1/me call requires this scope only. (See https://www.reddit.com/dev/api/oauth#GET_api_v1_me )

So why am I getting http 403?

nagylzs
  • 3,504
  • 6
  • 33
  • 60
  • The format of the header is important `Authorization: Bearer ` – castis Feb 02 '17 at 17:54
  • Okay, sorry. Actually I have set it with a dict in Python. It does contain the colon. I'll fix the queston. BTW the docs specify it with all small letters ("bearer" instead of "Bearer"), see at the end of https://github.com/reddit/reddit/wiki/OAuth2#retrieving-the-access-token – nagylzs Feb 02 '17 at 18:20
  • Hmm now it started to return 403 forbidden. Maybe it was returning that before too? I'm not sure. – nagylzs Feb 02 '17 at 18:26
  • @nagylzs Have you solved this ? – Wolf359 Apr 18 '17 at 08:20
  • Yes, I have. But cannot tell what was wrong. I have changed many things in my code and eventually it started to work. – nagylzs Apr 18 '17 at 14:31

1 Answers1

4

I was experiencing the exact same issue as you described. In my case, I resolved the 403 by adding a faux user agent string in the request headers.

In my case, using HttpClient of C#, this proceeds like so:

using (var client = new HttpClient())
{
    client.DefaultRequestHeaders.Add("User-Agent", "MockClient/0.1 by Me");
    ...
}
ne1410s
  • 6,466
  • 6
  • 51
  • 60
  • 1
    This was the solution to my problem! Had been working with Postman but not my own script, I suppose because postman automatically fills in the User-Agent header. – Dylan Landry Jul 25 '18 at 01:26
  • Just here to say the user agent string is crucial. I was using a string as recommended by reddit "os:app:version (by username)" but was still getting rejected. It seems for some reason my agent string was blacklisted despite having just begun using it. By changing it slightly where the app name was app-name-with-space-sparators+" agent" suffix it got past the 403 and started working. – John-Paul Robinson Nov 06 '19 at 17:16