We're using JWT authentication for calls to the Salesforce API. I set it up this summer and it was working well. The app could refresh the token whenever it needed to and storing the result in memcache.

This recently stopped working, I guess. My local memcache got flushed and I noticed that I started getting an error:

{u'error_description': u"user hasn't approved this consumer", u'error': u'invalid_grant'}

(Other machines that still hold the old token work fine.)

As far as I can tell, nothing about the API user or its relationship to the connected app has changed. The app's policy is "Admin approved users are pre-authorized", and a profile containing the user is listed in 'Profiles' on the app configuration page.

Has anybody run into this before?

I know others have asked this question.  The previous solutions have not worked.  Using the OAuth JWT flow.

1.  All Users Can Authorize
2.  User authorized via https://login.salesforce.com/services/oauth2/authorize?client_id=<CLIENT_ID>&redirect_uri=<NON_WORKING_CALLBACK_URL>&response_type=code
3.  OAuth Scopes include 
Access and manage your data (api)
Perform requests on your behalf at any time (refresh_token, offline_access)

POST to test.salesforce.com OR login.salesforce.com return
{"error":"invalid_grant","error_description":"user hasn't approved this consumer"}  
  
If I change the aud of my JWT from https://login.salesforce.com to https://XXX.force.com, I receive
{"error":"invalid_grant","error_description":"audience is invalid"}
which is the standard error response for an invalid token.  I take that to mean my certificates are working correctly since I only gives the error when I change audience to an invalid value.

What am I missing?
 

I have to use Oauth JWT flow to got the access token but while i execute my code then it show me following error,
 

{
     "error" : "invalid_grant",
     "error_description" : "user hasn't approved this consumer"
}

I setup all the related things like create the App and upload the certificate and also create the currect JWT token as per doc Here
and post the following request for access token,
 

HttpPost httpPost = new HttpPost("https://login.salesforce.com/services/oauth2/token");
httpPost.addHeader("Content-Type", "application/x-www-form-urlencoded");
List<NameValuePair> params = new ArrayList<NameValuePair>();
params.add(new BasicNameValuePair("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"));
params.add(new BasicNameValuePair("assertion", clientAssertion));			
httpPost.setEntity(new UrlEncodedFormEntity(params));
HttpResponse response = httpClient.execute(httpPost);

And I also accept the application and related permission by following request,

https://login.salesforce.com/services/oauth2/authorize?client_id=3MVG9ZL0ppGP5UrDITkMBDGuTYGHeynoEt40ZRWCcaYsycFHYDcm2LnqukCNurLNx33LH1c.0rrfG8VrQaqri&redirect_uri=https://localhost/myapp&response_type=code     

I think I done all the things to get the access token but I M GETTING ERROR.
Could you please somebody help me for solving this problem.
Thank You. 

I'm having a problem getting the test api login to grant me an access_token.   I am POSTing my request to https://test.salesforce.com/services/oauth2/token and here is my Request Header, I shortened the assertion value for brevity:

POST https://test.salesforce.com/services/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: test.salesforce.com
Content-Length: 415
Expect: 100-continue
Connection: Keep-Alive

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3[ ... ]ODMzN30.OE8FouPsqAXudnKgSZ0NeWnVjA1LYPtLgk4GXMx2kno

Every time I submit this, I'm getting the following Response:

HTTP/1.1 400 Bad Request
Date: Mon, 15 Sep 2014 19:12:19 GMT
Set-Cookie: BrowserId=SntionWLRSa0UEsXlzz--g;Path=/;Domain=.salesforce.com;Expires=Fri, 14-Nov-2014 19:12:19 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked

4A
{"error_description":"expired authorization code","error":"invalid_grant"}
0

This is being written in C# .NET 4.5.1 using the JSON Web Token Handler provided by Microsoft:

public void Login()
{
            var token = GetAuthToken();
            const string uri = "https://test.salesforce.com/services/oauth2/token";
            var httpWebRequest = (HttpWebRequest)WebRequest.Create(uri);
            var authRequest = new HttpClient();

            var authContent = Uri.EscapeDataString("urn:ietf:params:oauth:grant-type:jwt-bearer");
            var authToken = Uri.EscapeDataString(token);

            WebResponse response = null;
            try
            {
                var responseMessage = await authRequest.PostAsync(uri, new StringContent(string.Format("grant_type={0}&assertion={1}", authContent, authToken), Encoding.UTF8, "application/x-www-form-urlencoded"));

                var test = "test";
            }
            catch
            {
                throw;
            }
            finally
            {
                if (response != null)
                {
                    response.Close();
                    response = null;
                }
            }
}

private static string GetAuthToken()
{
            var securityKey = GetBytes("security key I was provided");

            var tokenHandler = new JwtSecurityTokenHandler();
            var now = DateTime.UtcNow.ToUniversalTime().Subtract(new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalMilliseconds + 6000;
            var tokenDescriptor = new SecurityTokenDescriptor
            {
                Subject = new ClaimsIdentity(new List<Claim>
                                                {
                                                    new Claim("iss", "my client id"),
                                                    new Claim("aud", "https://test.salesforce.com"),
                                                    new Claim("prn", "user@domain.com"),
                                                    new Claim("exp", now.ToString(CultureInfo.InvariantCulture))
                                                }),
                                                AppliesToAddress = "https://test.salesforce.com",
                TokenIssuerName = "my client id",
                SigningCredentials = new SigningCredentials(
                    new InMemorySymmetricSecurityKey(securityKey),
                    "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256",
                    "http://www.w3.org/2001/04/xmlenc#sha256")
            };

            var token = tokenHandler.CreateToken(tokenDescriptor);

            return tokenHandler.WriteToken(token);
}

Any ideas or suggestions would be greatly appreciated.