question

thedangler avatar image
thedangler asked ownistic answered

OAuth 2.0 driving me nuts... No refresh token sent

*** See very end for working code but its not ideal as I have to maybe two request to oauth redirect url.

I'm implementing OAUTH2 for my rest service.


I'm doing

        $resp = Http::get("https://sandbox.dev.clover.com/oauth/token",[

            'client_id'=>$client_id,
            'client_secret'=> $secret,
            'code' => $access_code


        ]);

I'm getting the access code back.

But how the hell do I request a refresh token if the end point is requesting a refresh token that is never sent to me. This seems to be the old way.

I found these new end points but they just give me error messages.

        $resp = Http::post("https://apisandbox.dev.clover.com/oauth/v2/token",[

            'client_id'=>$client_id,
            'client_secret'=> $secret,
            'code' => $access_code
            
        ]);

This does not work. And yes all the values are valid.

"{"status":"Unauthorized","message":"Failed to validate authentication code."}"



What is going on?
Also if you set the REST api to give you a token the query string is broken.
http://myapp.test/clover_auth?merchant_id=MIDID&employee_id=AFSD5&client_id=64QJG****#access_token=d8b7e9dc-0d7d-b163-583e-631597747a3a

#access_token should be &access_token


This is driving me insane.


I also tried.

starting the auth flow from my site like so.

return redirect('https://sandbox.dev.clover.com/oauth/v2/authorize?code_challenge='.$code_challenge.'&client_id='.env('CLOVER_APP_ID2').'&redirect_url=https://appdomain.test/clover_auth');

I get sent to a random page this this error:
"There was an issue in getting a response from the Auth Token service."

User is never set back to my auth url set in the REST settings.

I'm at my wits end with this documentation.
Should have some code demos for the OAuth flow for 2.0 from for all examples. Nothing seems to work. It's probably something silly im missing but these docs are not the best.

Please help.

Update: I was able to get the access token and refresh token only when I start the OAuth flow from my site. with this call

https://sandbox.dev.clover.com/oauth/v2/authorize?client_id='.env('CLOVER_APP_ID').'&client_secret='.env('CLOVER_APP_SECRET').'&redirect_url=https://cloverscope.test/clover_auth'


When the OAuth starts from Clover I always get the error.


Why does starting OAuth from clover not work?



This is my working code because if the user initiates the OAuth flow from the link in clover dashboard the initial code sent in the query Fails to Validate. So I send and authorize request with and the code that comes back from that works to request a token... Why I have no idea.


    public function register(Request $request){

        $MID = $request->get('merchant_id');
        $client_id = $request->get('client_id');
        $employee_id = $request->get('employee_id',null);
        $access_code = $request->get('code',null);


        $secret = env('CLOVER_APP_SECRET');

        $resp = Http::post("https://apisandbox.dev.clover.com/oauth/v2/token",[

            'client_id'=>env('CLOVER_APP_ID'),
            'client_secret'=> $secret,
            'merchant_id' => $MID,
            'code' => $access_code

        ]);

        if($resp->json('message') == "Failed to validate authentication code."){

            return redirect('https://sandbox.dev.clover.com/oauth/v2/authorize?client_id='.env('CLOVER_APP_ID').'&client_secret='.env('CLOVER_APP_SECRET').'&redirect_url=https://myapp.test/clover_auth');

        }

        dd($resp->body());

    }



REST APIOAuth
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

chrispetchey avatar image
chrispetchey answered webmaster2 Suspended commented

How I'm achieving this is:

I created a clover "web" app (as a developer), setting the DefaultOauthResponse to "code" and the url to my site url.

I added it to my test merchant.

The app then shows up in the left hand navigation of the test merchants dashboard. When the merchant launches the app from there I redirect to

/oauth/v2/authorize?client_id=[myAppId]&redirect_uri=[mySitePage2]

On page2 the querystring includes the merchant_id, employee_id, client_id and a code

You can then make a POST to

/oauth/v2/token

passing in "client_id":"{myAppId}","client_secret":"{myAppSecret}","code":"{code}"

This will return an access token and a refresh token

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

polywickstudio avatar image
polywickstudio answered

I managed to do this. You need to parse Json on response, not body-form WWW-form style.

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

bryanvargas avatar image
bryanvargas answered
Try this path:

1. First have developer app ready with redirect URL and test merchant
2. access the link in Web Browser(redirect URL has to be the same as app redirect URL and it will prompt for a merchant login
{
                 {baseUrl}}/oauth/v2/authorize?client_id={
                 {appId}}&redirect_uri={
                 {redirectUrl}}
3. In the url there will be a code
EX: https://sandbox.dev.clover.com/?merchant_id={mId}&employee_id={emId}&client_id={appId}&code={authCode}
4. take note of the returned authCode and send post request to {
                 {baseUrl}}/oauth/v2/token

Payload:
{
   "client_id": "{
                 {appId}}",
   "client_secret": "{
                 {appSecret}}",
   "code": "{authCode}"
}
5. return output:
{
    "access_token": "{accessToken}",
    "access_token_expiration": 1702572139,
    "refresh_token": "clvroar-#####",
    "refresh_token_expiration": 1734106339
}
10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

ownistic avatar image
ownistic answered ownistic published

I had the same issue at the beginning, but setting the endpoint for the authorize URL (of your server) in the Alternate Launch Path field fixed the issue and gave me a valid authorization code that I can exchange for the access and refresh token, just don't forget to set the merchant_id as a param to the /oath/authorize clover endpoint when you redirect back to clover so it doesn't show the select store UI of clover

10 |2000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community