question

wm1 avatar image
wm1 asked jcy commented

Missing CODE parameter in OAUTH v2 flow, but only if app is not installed

NOTES: 
We have Alt Launch Path added to production
This is for web-based OAUTH v2 (not on Clover devices)


We're updating our live app to OAUTH v2 flow and we're experiencing an issue with OAUTH v2 flow in a specific use-case


#1 Merchant clicks a link on our website to connect their Clover
> CONDITION : App has NOT been previously installed OR has been uninstalled

Action:
A merchant clicks a properly constructed link to initiate OAUTH v2 on our website:
https://www.clover.com/oauth/v2/authorize?client_id={APP-ID}&redirect_uri={OAUTH Site-URL}/{Launch Path}&response_type=code&state={STATE-UUID}

Expected behavior:
Merchant is redirected to Clover.com->AppMarket->AppListing (logs in and selects mid if necessary)
Merchant selects a subscription and clicks "Connect"
Merchant is redirected to:
{OAUTH Site-URL}/{Launch Path}?merchant_id={MID}&client_id={APPID}&state={STATE-UUID}&employee_id={EMPLOYEE-ID}&code={AUTH CODE}

Actual Behavior:
Merchant is redirected to Clover.com->AppMarket->AppListing (logs in and selects mid if necessary)
Merchant selects a subscription and clicks connect
Merchant is redirected to:
{OAUTH Site-URL}/{Launch Path}?merchant_id={MID}&client_id={APPID}

>> We're missing a CODE parameter in the url and can not proceed to next step to request a token . In the flow diagram on this page : https://docs.clover.com/docs/high-trust-app-auth-flow it states that we should be receiving CODE. We're also missing STATE that was passed to auth endpoint.

>> This flow behavior is the same if the merchant initiated it by clicking "connect app" or "open installed app" from the marketplace listing/left panel, but according to the docs, it should properly redirect with CODE param.


#2 Merchant clicks a link on our website to connect their Clover
> CONDITION : App has been previously installed

Action:
A merchant clicks a properly constructed link to initiate OAUTH v2 (same as in #1)
https://www.clover.com/oauth/v2/authorize?client_id={APP-ID}&redirect_uri={OAUTH Site-URL}/{Launch Path}&response_type=code&state={STATE-UUID}

Expected behavior:
Merchant is redirected to clover.com (logs in and selects mid if necessary) and then redirected to:
{OAUTH Site-URL}/{Launch Path}?merchant_id={MID}&client_id={APPID}&state={STATE-UUID}&employee_id={EMPLOYEE-ID}&code={AUTH CODE}

Actual Behavior matches expected:
Merchant is redirected to:
{OAUTH Site-URL}/{Launch Path}?merchant_id={MID}&client_id={APPID}&state={STATE-UUID}&employee_id={EMPLOYEE-ID}&code={AUTH CODE}

>> This use-case works. We have the "state" and "code" and are able to get refresh+access tokens from oauth/v2/token

--------

Please advise

OAuth
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

3 Answers

·
jcy avatar image
jcy answered jcy commented

I think the APP will not return the code if it is not installed, because when I delete the APP, my access token will also become invalid.

7 comments
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

wm1 avatar image wm1 commented ·
It has nothing to do with the token.

We start AUTH flow explicitly and we should get back the code+state on both of them as they are same requests

0 Likes 0 ·
jcy avatar image jcy wm1 commented ·

Why not install the APP at the merchant?

0 Likes 0 ·
jcy avatar image jcy jcy commented ·

You entered the app_id in the url v2 authorization, and then jumped to clover to select the merchant, but the merchant did not install the app, the access_token will be invalid, and the authorization code used to obtain the access_token cannot be obtained. I think this should be the case, but the clover document does not No description

0 Likes 0 ·
Show more comments
harry625 avatar image
harry625 answered wm1 commented

It looks like you're experiencing issues with the OAUTH v2 flow when a merchant hasn't previously installed the app. Specifically, the CODE parameter is missing in the URL, preventing the next step to request a token. According to the Clover documentation, the CODE should be received. This issue doesn't occur when the app has been previously installed, as the flow works correctly in that case.

Please review the flow diagram and ensure all parameters, including STATE, are correctly passed. For further assistance, you may want to check out additional resources or reach out to Clover support.

1 comment
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

wm1 avatar image wm1 commented ·
please stop posting ai-generated summaries that have zero value
0 Likes 0 ·
wm1 avatar image
wm1 answered

This diagram here https://docs.clover.com/docs/high-trust-app-auth-flow clearly states that if /v2/authorize is initiated by us, we should get back the code (+state) (circled in red). However it is only true IF the app has been previously installed.


1720614327742.png


1720614327742.png (232.3 KiB)
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community