VK Oauth: Security Error

Asked 13/9, 2015 at 21:51 Answered 7/1, 2019 at 11:9

I'm trying to authorize my standalone application. But after I click "Allow" it always redirects to http://oauth.vk.com/error?err=2 and gives this as response body:

{"error":"invalid_request", "error_description":"Security Error"}

Here's the request URL (I do have correct client_id):

https://oauth.vk.com/authorize?client_id=...&scope=messages,offline&redirect_uri=https://oauth.vk.com/blank.html&display=page&v=5.37&response_type=token

It seems that I've tried everything:

Turning application on and off
Passing scope as bit mask
URI encoding some parameters to have correct URL
and so on

Benedict answered 13/9, 2015 at 21:51 Comment(0)

After hour of searches I've found this.

So, it means that user has an old session and must re-login in browser.

Benedict answered 13/9, 2015 at 21:51 Comment(2)

Thanks mate I was sooo frustrated :) – Fish 6/5, 2017 at 11:29

Thank you, that for about a year, I did not relogin, and never see this error. I never thought that it's helped. – Wilkerson 7/5, 2018 at 2:42

Space in state parameter causes this.

OAuth 2 RFC, sections 4.1.1 on authorization request and 4.1.2 on authorization response, recommends using state parameter to maintain state in authorization code flow, particularly to prevent CSRF.

When I set this field to CSRFTOKEN123 http://my.site/next/url, I got this error. Replacing (space) with : to get CSRFTOKEN123:http://my.site/next/url helps.

By the way, I couldn't find any mention of state parameter on VK documentation website but VK OAuth 2 authorization system actually supports it. It couldn't be called OAuth 2 otherwise. So I find it legit to use state parameter.

The topic https://vk.com/topic-17680044_30635058 mentioned by author is closed now, current discussion is https://vk.com/topic-1_24428376. There are number of questions on this. All in Russian.

Spunky answered 7/1, 2019 at 11:9 Comment(0)

Recommended topics

Hot tags