Tiktok oauth request parameters are malformed

Question

I'm trying to exchange my authorization token for a bearer token. According to the docs it should be a application/x-www-form-urlencoded request. My code looks like this:

$res = Http::withHeaders([
    'Accept'       => 'application/json',
    'Content-Type' => 'application/x-www-form-urlencoded',
    'Cache-Control' => 'no-cache'
])->post('https://open.tiktokapis.com/v2/oauth/token/', [
    'client_id'    => 'my-client-id',
    'client_secret' => 'my-client-secret',
    'code'          => $request->code,
    'grant_type'    => 'authorization_code',
    'redirect_uri'  => 'https://example.com/callback/tiktok',
]);

I keep receiving:

{"error":"invalid_request","error_description":"The request parameters are malformed.","log_id":"20230621065239FB74CE96D69DA40A2B46"}

What could be going on here? Already tried contacting tiktok a week ago but no response.

Answer 1

I finally found the answer to this - at least in my case.

When upgrading to the V2 OAuth flow, I had only upgraded the token endpoint for the server (https://open-api.tiktok.com/oauth/access_token > https://open.tiktokapis.com/v2/oauth/token) but forgotten to add the /v2 path to the original authorization endpoint for the user. This is easy to miss as the websites look exactly the same.

v1/Legacy:

https://www.tiktok.com/auth/authorize?client_key=xxxx&redirect_uri=https://...

v2/:

https://www.tiktok.com/v2/auth/authorize?client_key=xxxx&redirect_uri=https://...

After changing this, I no longer receive the malformed parameters error and it seems to work as expected. Leaving this here in case it helps someone else. I don't know how I missed this when it's in the migration guide.

Answer 2

1st thing to do is URL-encode the parameters:

$params = http_build_query([
    'client_id'     => 'my-client-id',
    'client_secret' => 'my-client-secret',
    'code'          => $request->code,
    'grant_type'    => 'authorization_code',
    'redirect_uri'  => 'https://example.com/callback/tiktok',
]);

$res = Http::withHeaders([
    'Accept'       => 'application/json',
    'Content-Type' => 'application/x-www-form-urlencoded',
    'Cache-Control' => 'no-cache'
])->post('https://open.tiktokapis.com/v2/oauth/token/', $params);

Then you can:

• Check all the required parameters are provided and valid.
• Ensure that the endpoint URL is correct.
• Check if the TikTok API version (v2) is correct.

Answer 3

I was facing the same issue earlier. I had to encode the body parameters, and after that, it worked. PHP is not my first language, but maybe you can try something like this:

$res = Http::withHeaders([
    'Accept'       => 'application/json',
    'Content-Type' => 'application/x-www-form-urlencoded',
    'Cache-Control' => 'no-cache'
])->post('https://open.tiktokapis.com/v2/oauth/token/', http_build_query([
    'client_key'    => 'my-client-id',
    'client_secret' => 'my-client-secret',
    'code'          => $request->code,
    'grant_type'    => 'authorization_code',
    'redirect_uri'  => 'https://example.com/callback/tiktok',
]));

Answer 4

Illuminate\Support\Facades\Http facade seems to create some problems with the internal protected variable $bodyFormat of Illuminate\Http\Client\PendingRequest class as it creates the instance of this class internally while making requests.

You could rather directly use PendingRequest class to make requests like below:

Snippet:

<?php

use Illuminate\Http\Client\PendingRequest; 

$o = new PendingRequest();
$o->asForm(); // to set content type header to application/x-www-form-urlencoded

$res = $o->post('https://open.tiktokapis.com/v2/oauth/token/', [
  'client_key'    => 'CLIENT_KEY', // your value here
  'client_secret' => 'CLIENT_SECRET', // your value here
  'code'          =>  'CODE', // your value here
  'grant_type'    => 'authorization_code',
  'redirect_uri'  => 'https://example.com/callback/tiktok' // your value here
]);

dd($res->body());

Online Demo