Reddit API Oauth2 "user required"

Question

I am trying to get the installed app to work with Oauth2 on Reddit's api. I am using Windows runtime api's httpclient to make requests, and webauthenticationbroker to get the code to do the GET request to receive the token. I requested a token by using this:

https://www.reddit.com/api/v1/authorize?client_id=" + client_id + "&response_type=code&state=" + "testing" + "&redirect_uri=http://abcd.com&duration=" + "permanent" + "&scope=" + "vote,identity"

And got a code back, so I used POST on this (with the content type being: application/x-www-form-urlencoded):

https://www.reddit.com/api/v1/access_token

with the body being this:

grant_type=https://oauth.reddit.com/grants/installed_client&\
device_id="+id + "&code=" + code    

(code and id is the code received in the first step and id is a generated UUID)

Then I got something like this back:

{"access_token": "--5e65dP1dI_1vgLbqvi7zRB6cnU", "token_type": "bearer", "expires_in": 3600, "scope": "*"}

So I extracted the token and got this:

--5e65dP1dI_1vgLbqvi7zRB6cnU

Then I tried to do a GET request on https://oauth.reddit.com/api/v1/me with these headers:

   {
  User-Agent: (testUWP client by /u/bored_reddit_user)
  Authorization: bearer --5e65dP1dI_1vgLbqvi7zRB6cnU
}                    

I got these headers back with status code 403 reason phrase forbidden:

{
  Connection: keep-alive
  Server: cloudflare-nginx
  Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
  Transfer-Encoding: chunked
  cache-control: max-age=0, must-revalidate
  x-ua-compatible: IE=edge
  CF-RAY: 23f5127a6a2911a1-SJC
  Date: Tue, 03 Nov 2015 03:42:58 GMT
  x-frame-options: SAMEORIGIN
  access-control-allow-origin: *
  X-Moose: majestic
  x-reddit-tracking: https://pixel.redditmedia.com/pixel/of_destiny.png?v=BZoi0ikdGrSYn9U9xM6GWeYcRRb0W50fSQuGYb1Q8Oe7E5WVB6qTA4hRqlx9vDfpLOKzpE3Z5Wo%3D
  x-content-type-options: nosniff
  x-xss-protection: 1; mode=block
  access-control-expose-headers: X-Reddit-Tracking, X-Moose
}{
  Content-Type: application/json; charset=UTF-8
}

and this content:

{"explanation": "Please log in to do that.", "reason": "USER_REQUIRED"}    

I am at a loss as to what I'm doing wrong, can anyone help me out?

Answer 1

This wiki page on the reddit github gives a pretty good overview of reddit's implementation of OAuth2 and the different grant_types and what circumstances they are appropriate for. This page has some more information. I'm suspecting that reddit doesn't want you storing the client secret in an app that you install on a user's device since you can't keep it secure, and a user could figure out your CLIENT_ID.

I'm glad my comment could point you in the right direction, if you could accept this answer, I'd appreciate the rep.