client_credentials token endpoint returns 403 from cloud/datacenter server IPs — blocks server-side playback proxy #521
Description
Hi there!
A couple of weeks ago, the hosting server and DNS settings were changed from 198.55.249.203 to 107.173.204.227.
Currently, we´re getting this error:
Our application uses a server-side proxy to obtain OAuth tokens via client_credentials and then retrieve playable stream URLs from api.soundcloud.com/tracks/{id}/streams. This works correctly from a local development machine (residential IP), but in production, our server receives a 403 Forbidden from secure.soundcloud.com/oauth/token.
The same credentials work from a residential/non-datacenter IP. This strongly suggests CloudFront's WAF or geo/IP rules are blocking requests originating from datacenter IP ranges.
Evidence
{
"clientId_present": true,
"clientSecret_present": true,
"token_status": 403,
"token_error": "\n<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">\n<TITLE>ERROR: The request could not be satisfied</TITLE>\n\n
403 ERROR
\nThe request could not be satisfied.
\n<HR noshade size="1px">\nRequest blocked.\nWe can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.\n<BR clear="all">\nIf you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.\n<BR clear="all">\n<HR noshade size="1px">\n\nGenerated by cloudfront (CloudFront)\nRequest ID: mmo94BB9-Q9hmUSivFDLYxWwngdCJh6Puvke3kUMT-tCf5mbFXUIuQ==\n\n\n\n"
}