Hydra - Method Not Allowed - GET /oauth2/token?access_token=token

I’m currently in the process of getting Odoo (the client application) to perform Oauth2 flow with Hydra and my consent application. I’m able to get past the consent page and I get an error like the following:

time="2020-03-23T19:51:30Z" level=info msg="started handling request" method=GET remote="<REMOTE_ADDR>" request="/oauth2/token?access_token=<ACCESS_TOKEN>"
time="2020-03-23T19:51:30Z" level=info msg="completed handling request" measure#hydra/public: https://<HYDRA_PUBLIC_URL>/.latency=124480 method=GET remote="<REMOTE_ADDR>" request="/oauth2/token?access_token=<ACCESS_TOKEN>" status=405 text_status="Method Not Allowed" took="124.48µs"

405 - Method Not Allowed

I also see an error on the client side of the application.

Under the REST API documentation for Hydra, I see that it only allows POST methods to /oauth2/token with either headers or a body. I’m still somewhat new to the Oauth2 flow, so maybe this is a valid request from the client application (that is not documented in Hydra) that I simply do not understand. Should I try to reform this request to a POST request from the client application? Maybe it’s an error with my client configuration?

/oauth2/token only accepts POST, there is probably some misconfiguration

@hackerman I appreciate the reply! On the client side of things, I have:

Authentication URL https://<ROOT_URL>/oauth2/auth
Validation URL     https://<ROOT_URL>/oauth2/token
Data URL           https://<ROOT_URL>/userinfo

This all looks correct to me, which makes it more confusing. The way I have things deployed right now (for the sake of testing) is I’m just using the quickstart.yml on the machine where my consent app is deployed and I’m using mock TLS termination to reach the admin URL. Is it likely that my misconfiguration is somewhere in my test deployment of Hydra?

Thank you for your time.

The validation URL is not the token URL but instead the /oauth2/introspection endpoint (probably, don’t know your library/framework).

Thanks again. I think I figured it out–I believe the validation URL is supposed to be the /userinfo route–it looks like it’s the only route of the three that have been mentioned that supports GET. This is a little weird because other providers have /tokeninfo as their validation route and /userinfo is their “data” route. I’m sure it will take some guess-and-check.

Yeah, we’re implementing the different specs (e.g. userinfo is one, OAuth2 Token Introspection is another) and it depends a bit on your library. Good luck :slight_smile:

I was finally able to figure it out. Odoo (the client app) expects a user_id field to be returned from the validation URL. So, /userinfo is the correct route, I just need to give that route the user_id field in its response.