Rails Omniauth - bad verification code

I’m trying to set up GitHub logins for a Rails app using Omniauth. Once a user has visited /users/auth/github and authenticated, they’re redirected back to the application with values for code and state supplied. I would presume, from the documentation, that I could use that information to do something like this to get a token:

data = {
  client_id: Rails.application.credentials.github_key,
  client_secret: Rails.application.credentials.github_secret,
  code: code,
  state: state,
  redirect_uri: callback,
base_url = 'https://github.com/login/oauth/access_token'
headers = {'Content-Type' => 'application/json', 'Accept' => 'application/json'}
response = HTTParty.post(base_url,
                        :body => data.to_json,
                        :headers => headers)

But, the inevitable response is:

2.6.5 :057 > response.parsed_response
 => {"error"=>"bad_verification_code", "error_description"=>"The code passed is incorrect or expired.", "error_uri"=>"https://developer.github.com/apps/managing-oauth-apps/troubleshooting-oauth-app-access-token-request-errors/#bad-verification-code"}

The documentation referenced in that response offerts the following instruction:

“To solve this error, start the OAuth authorization process again and get a new code.”

…but, every code appears to be invalid. I would therefore welcome any suggestions on how to get past this.


I’m encountering the same behaviour.

I’m hitting the access_token endpoint from a serverless function, with all the right parameters described in the docs:


I get the bad_verification_code error in the response every single time, too.

1 Like