Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Getting Started >

403 error when getting access token, but only from one computer

Started by Joseph Fisher -   in Getting Started

I'm developing an app in PHP. Currently running a local Apache server for initial test and dev. It's using a self-signed certificate and all access is https through port 443.

I have the Xero OAuth2 flow working correctly, but only when I access my app from the same machine running the Apache server.

So before I spend too much energy chasing this down, I wanted to make sure I've got the Xero side of things correct, and if the Apache configuration is more likely the culprit.

I'm able to redirect to https://login.xero.com/identity/connect/authorize, authorize the app, and drop back to the redirect page. On the local machine, I can continue through the OAuth2 flow. This POST succeeds:

URL: "https://identity.xero.com/connect/token"
Headers: {
"Authorization: Basic NUQ3MU...eDBZblc2",
"Content-Type: application/x-www-form-urlencoded"

Body: "grant_type=authorization_code&code=6f353b...de90fcab859&redirect_uri=https://my_vhost_name/working/xero_connect.php"

On the remote machine, this POST fails:

URL: "https://identity.xero.com/connect/token"
Headers: {
"Authorization: Basic NUQ3MU...eDBZblc2",
"Content-Type: application/x-www-form-urlencoded"

Body: "grant_type=authorization_code&code=99b3d03...c06310e91&redirect_uri=https://98.765.43.210/working/xero_connect.php"

403 Forbidden:
Access Denied
You don't have permission to access "http://identity.xero.com/connect/token" on this server.

Reference #18.8d794668.1651349874.29035887

I have verified that the redirect_uri for both is correctly listed under the app configuration in Xero. What else could be causing this?
That error would indicate that your request is getting blocked by our firewall. If you are still having issues please recreate the issue (in order to receive a fresh error code) and then get in touch with our support team (with the reference) so that we can take a closer look.

Robin B (Community Manager)  

Good afternoon,

It seems to have been an issue of sending a numeric IP address instead of a domain name based one. When I moved the same code to my production server with a domain name attached, the errors go away.

It makes development a little more complicated, but at least I know the code is good.

That said, I will reply here the next time I get to recreate the issue.

Joseph Fisher