Status Code 500 from oauth/token

A couple days ago, my webservice smart app oauth stopped working.
I can get the code from the initial request and receive the callback, but when I use the code to request the token, ST just responds with Internal Server Error 500 and sends back a webpage with ‘Opps Something went wrong’ in body content.

I’ve tried a couple times, deleting the smart app and recreating it, giving me new id and secret, but it doesn’t resolve the problem. I’ve put in a ticket with support, but haven’t heard back from them. I’ve burnt two days on this problem with no resolution, so I come to the community with hopes someone has seen this problem and has a resolution.

Thanks in advanced.

Still waiting on support.

Still waiting on support!

And for some reason, my community account was disabled. I had to sign up again to post this.

@DougBeard or @Doug_Beard do you want to post more specifics on what you are trying to do? Getting a 500 back doesn’t sound like an authorization issue (that is normally a 401) :grin:. A 500 is normally a server saying it doesn’t know what to do with your request such as trying to hit an endpoint that doesn’t exist.

I’ve tried to get the token in several ways. My preferred method, using a library called simple-oauth2

At the UI the process begins with a call to /oauth/authorize
The callback is received with the code and forwarded to my server at [originationURL]/auth

I’ll retrieve the code from the redirect request and feed it to simple-oauth2 in the following way.

			const options = {
				code: code,
				 redirect_uri: config.redirectUri
			config.oauth2.authorizationCode.getToken(options, (error, result) => {
				if (error) {
					console.error('Access Token Error', error.message);
					return res.json('Authentication failed');

				console.log('The resulting token: ', result);
				const token = config.oauth2.accessToken.create(result);

				return res

The result is always a 500. I can trigger the 401 as you described by ommitting or changing any of the arguments in the querystring, such as clientId or secret, redirect_url, code, etc.

To ensure the library in use was not the culprit, I wrote my own request using requestjs.

var request_options = {
					grant_type: 'authorization_code',
					code: code,
					client_id: config.options.clientId,
					client_secret: config.options.clientSecret,
					redirect_uri: REDACTED,
					scope: 'app'
						'content-type': 'application/x-www-form-urlencoded'
					qs: request_options
				}, function (error, response, body) {
					if (response.statusCode > 400){
						return res.sendError("something went wrong");
					if (error) {
						return res.sendError(error);
					} else if (body) {
						var headers = { 'User-Agent': 'Satellizer' };
						var all_things = JSON.parse(body)
						return res.json(all_things);
					} else {
						return console.log("No Body")

I get the same error.

It’s been mentioned that the redirectUri may not be internet accessible. This is plainly false. I have had this successfully working in a local environment prior to the 15th of this month. In addition I’ve published to the qa environment, hosted in Azure, which is totally accessible with the same results.

I would note, that I have tried several other oauth2 libraries in place of the two examples above with the same results.
I’d also point out, the simple-oauth2 code in the first example, worked fine prior to the update on the 15th of this month. It ceased working with no changes.

One last thing to note, if I change my requests to use another code flow provider (such as github), the code with no changes except in the passed parameters works fine.

Please, for all that is good and holy, look at the original support request I sent in, with the UID of one of my requests that is presented in the subsequent ST reply and check your logs for some hint at what the problem is. It cannot be discerned from my end because of the generic resulting 500.

PS. Apparently my forum account has been re-enabled. :confused:

I found your ticket. Didn’t realize that you were already contacted by @Aaron, FYI I don’t typically look at support tickets so sorry about the gap in communication. I’ve just been trying to help out where I can on the community forums.

I’m not seeing any exceptions in our logs, off the bat. I’m not familiar with our oauth service, but it is programmed to emit a 500 when something goes wrong with creating the access token. I’m looking though, I thought I should update you even though I haven’t been able to figure out what is going wrong.

Thank you for the update. I’m very glad to hear someone is looking at this.

Very odd that I can’t log in with the original account again.

Another update…

I validated that our OAuth functionality still works by following this guide in our documentation. I was able to successfully to authenticate with our application using this server and smartapp.

If I didn’t publish the SmartApp before trying to authenticate I would get 500s back after clicking the Authorize button on the page that I was redirected to:

I’m guessing your SmartApp is published, but though it was worth documenting in this thread incase someone else comes along with similar 500 issues with authentication.

1 Like

Definitely published, yes. I had also deleted the app and recreated it from code (as suggestion on another thread), switching out all the oauth Ids in the process, with no luck. It too is published, and installed to my hub.

Could you humor me, and try two things before I dig into this more. If you have a redirect url specified in your SA configuration would you remove that? And would you uninstall the SA before trying to OAuth?

If neither of those suggestions help at all, if you could PM me your server code and SA? I would be happy to help you debug. It seems to me that this would be an issue with something in your code because I was able to successfully authenticate with another server and SA.

Other SmartApps are fine in my account, only this one exhibits this behavior as far as I can tell.
I did as you asked with no effect.

I will PM you my server code, it is SEAN stack in ES6 with babel.

Hi @Doug_Beard. I’m running up against the exact same issue that you were. I have a SmartApp which is published for me configured with the omniauth-smartthings plugin. After doing the OAuth dance with SmartThings where I select which devices to allow access to, I’m redirected back to my own app. My app gets a 500 from SmartThings’ OAuth servers when trying to exchange the OAuth code for an access token:

<dd>500: Internal Server Error</dd> <dt>URI</dt><dd>/oauth/token</dd> <dt>Reference Id</dt>. <dd>0f4a3a93-1b91-44f0-ad06-4c8b9b8657a2</dd> <dt>Date</dt><dd>Wed Jan 04 18:44:02 UTC 2017</dd>

My extremely basic SmartApp works just fine in the simulator. I’ve tried the same SmartApp code on both my SmartThings dev account and a friend’s. We both get the same results when testing with our own OAuth client ID and token.

Did you ever figure out a solution?


I was finally paired with a jr engineer that was working to help me find a solution. While he was looking, the issue stopped occurring, though his claim was that nothing was changed on their end. So, no I didn’t exactly ‘find’ a solution that will be of any help to you.

However, I suspect you’re suffering a CORS issue, which maybe different than what was happening for me. Given ST simply passes back generic errors, it’s impossible to tell.

1 Like

I figured out the issue in our case. It turns out that whoever implemented OAuth at SmartThings decided it would be a good idea to do things differently than every other OAuth provider and require that the redirect_uri 100% matches between the authorization code step and the access code step, even the query parameters. Since many (most?) OAuth libraries tend to add things into the redirect_uri at the access code step (OmniAuth in particular here), this is broken by default.

This commit was able to get things working for my app:

On a side note, it would be incredibly helpful if the SmartThings OAuth server did anything other than return a generic 500 when something goes wrong, especially if it’s something the developer might be able to fix. This was absolutely maddening to debug.


Just a note, according to the OAuth 2.0 spec, the request_uri must match for both the authorization code and access token requests (if provided): see the redirect_uri section. SmartThings is using a well established library for OAuth, which strictly follows the spec.

I agree about the error codes, it’s an unfortunate side effect of using the OAuth library; it doesn’t always expose the best information about the error.


8 months later and still just a 500 with no detailed explanation, what’s going on.

Trying to install an app, doing this first:

Getting this in response


Next url

and I keep getting

Oh No! Something Went Wrong!
Error:500: Internal Server ErrorURI:/oauth/tokenReference Id:f5a9e4d8-684a-456c-a258-a0b3ebf2f1dbDate:Sun Aug 20 16:18:06 UTC 2017

I’m in the same boat. This makes no sense and I’ve found nothing in the forums that even begins to explain how I would go about fixing this.


today, APR.22th.2018
But, I has same issue.
but I could not find any resolution.
It is really hell…