I know others have asked this question.  The previous solutions have not worked.  Using the OAuth JWT flow.

1.  All Users Can Authorize
2.  User authorized via https://login.salesforce.com/services/oauth2/authorize?client_id=<CLIENT_ID>&redirect_uri=<NON_WORKING_CALLBACK_URL>&response_type=code
3.  OAuth Scopes include 
Access and manage your data (api)
Perform requests on your behalf at any time (refresh_token, offline_access)

POST to test.salesforce.com OR login.salesforce.com return
{"error":"invalid_grant","error_description":"user hasn't approved this consumer"}  
  
If I change the aud of my JWT from https://login.salesforce.com to https://XXX.force.com, I receive
{"error":"invalid_grant","error_description":"audience is invalid"}
which is the standard error response for an invalid token.  I take that to mean my certificates are working correctly since I only gives the error when I change audience to an invalid value.

What am I missing?
 

I know others have asked this question.  The previous solutions have not worked.  Using the OAuth JWT flow.

1.  All Users Can Authorize
2.  User authorized via https://login.salesforce.com/services/oauth2/authorize?client_id=<CLIENT_ID>&redirect_uri=<NON_WORKING_CALLBACK_URL>&response_type=code
3.  OAuth Scopes include 
Access and manage your data (api)
Perform requests on your behalf at any time (refresh_token, offline_access)

POST to test.salesforce.com OR login.salesforce.com return
{"error":"invalid_grant","error_description":"user hasn't approved this consumer"}  
  
If I change the aud of my JWT from https://login.salesforce.com to https://XXX.force.com, I receive
{"error":"invalid_grant","error_description":"audience is invalid"}
which is the standard error response for an invalid token.  I take that to mean my certificates are working correctly since I only gives the error when I change audience to an invalid value.

What am I missing?