OAuth 2.0 driving me nuts... No refresh token sent

Question

question

thedangler asked Jan 13, '24 ownistic sent Apr 20, '24

OAuth 2.0 driving me nuts... No refresh token sent

*** See very end for working code but its not ideal as I have to maybe two request to oauth redirect url.

I'm implementing OAUTH2 for my rest service.

I'm doing

        $resp = Http::get("https://sandbox.dev.clover.com/oauth/token",[

            'client_id'=>$client_id,
            'client_secret'=> $secret,
            'code' => $access_code


        ]);

I'm getting the access code back.

But how the hell do I request a refresh token if the end point is requesting a refresh token that is never sent to me. This seems to be the old way.

I found these new end points but they just give me error messages.

        $resp = Http::post("https://apisandbox.dev.clover.com/oauth/v2/token",[

            'client_id'=>$client_id,
            'client_secret'=> $secret,
            'code' => $access_code
            
        ]);

This does not work. And yes all the values are valid.

"{"status":"Unauthorized","message":"Failed to validate authentication code."}"

What is going on?
Also if you set the REST api to give you a token the query string is broken.
http://myapp.test/clover_auth?merchant_id=MIDID&employee_id=AFSD5&client_id=64QJG****#access_token=d8b7e9dc-0d7d-b163-583e-631597747a3a

#access_token should be &access_token

This is driving me insane.

I also tried.

starting the auth flow from my site like so.

return redirect('https://sandbox.dev.clover.com/oauth/v2/authorize?code_challenge='.$code_challenge.'&client_id='.env('CLOVER_APP_ID2').'&redirect_url=https://appdomain.test/clover_auth');

I get sent to a random page this this error:
"There was an issue in getting a response from the Auth Token service."

User is never set back to my auth url set in the REST settings.

I'm at my wits end with this documentation.
Should have some code demos for the OAuth flow for 2.0 from for all examples. Nothing seems to work. It's probably something silly im missing but these docs are not the best.

Please help.

Update: I was able to get the access token and refresh token only when I start the OAuth flow from my site. with this call

https://sandbox.dev.clover.com/oauth/v2/authorize?client_id='.env('CLOVER_APP_ID').'&client_secret='.env('CLOVER_APP_SECRET').'&redirect_url=https://cloverscope.test/clover_auth'

When the OAuth starts from Clover I always get the error.

Why does starting OAuth from clover not work?

This is my working code because if the user initiates the OAuth flow from the link in clover dashboard the initial code sent in the query Fails to Validate. So I send and authorize request with and the code that comes back from that works to request a token... Why I have no idea.

    public function register(Request $request){

        $MID = $request->get('merchant_id');
        $client_id = $request->get('client_id');
        $employee_id = $request->get('employee_id',null);
        $access_code = $request->get('code',null);


        $secret = env('CLOVER_APP_SECRET');

        $resp = Http::post("https://apisandbox.dev.clover.com/oauth/v2/token",[

            'client_id'=>env('CLOVER_APP_ID'),
            'client_secret'=> $secret,
            'merchant_id' => $MID,
            'code' => $access_code

        ]);

        if($resp->json('message') == "Failed to validate authentication code."){

            return redirect('https://sandbox.dev.clover.com/oauth/v2/authorize?client_id='.env('CLOVER_APP_ID').'&client_secret='.env('CLOVER_APP_SECRET').'&redirect_url=https://myapp.test/clover_auth');

        }

        dd($resp->body());

    }

REST API OAuth

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community

Answer 1 · 2024-01-13T06:46:53Z

tomdanny answered Jan 13, '24 thedangler commented Jan 13, '24

Struggling with OAuth 2.0 and not receiving refresh tokens can be exasperating. This issue may stem from misconfigurations or limitations within the authorization flow. Ensure your OAuth client is properly configured to request offline access, triggering the issuance of refresh tokens. Verify the authorization server's capabilities to support refresh token issuance. Thoroughly examine OAuth specifications and your implementation to identify potential discrepancies. Collaborating with community forums or seeking expert advice can offer insights into common pitfalls. Troubleshooting OAuth intricacies, understanding token lifecycle, and addressing specific issues in your implementation are key steps in resolving the frustration associated with missing refresh tokens.

1

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

thedangler commented · Jan 13 at 07:24 AM

@Tomdanny

tomdanny

this is a fresh app. All i'm trying to do is get the refresh token when I get my access token.

When a user clicks on the link from the app OAuth 2.0 doesn't work at all. I always get a "

                    
                     Failed to validate authentication code

Error.

If I launch the Oauth from my own site I get back the access token, refresh token, and expire dates.

So i'm not sure how to handle the OAuth flow if it comes from clover.

0 ·

Answer 2 · 2024-02-02T14:25:39Z

chrispetchey answered Feb 2, '24 webmaster2 commented Apr 19, '24

How I'm achieving this is:

I created a clover "web" app (as a developer), setting the DefaultOauthResponse to "code" and the url to my site url.

I added it to my test merchant.

The app then shows up in the left hand navigation of the test merchants dashboard. When the merchant launches the app from there I redirect to

/oauth/v2/authorize?client_id=[myAppId]&redirect_uri=[mySitePage2]

On page2 the querystring includes the merchant_id, employee_id, client_id and a code

You can then make a POST to

/oauth/v2/token

passing in "client_id":"{myAppId}","client_secret":"{myAppSecret}","code":"{code}"

This will return an access token and a refresh token

1

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

webmaster2 commented · Apr 19 at 02:09 AM

Wow, thanks for this. I had no idea how to get "code" and the Clover docs didn't explain any of this, from what I can tell. ...Now I have something to try. :-)

0 ·

Answer 3 · 2024-04-11T03:50:23Z

polywickstudio answered Apr 11, '24

I managed to do this. You need to parse Json on response, not body-form WWW-form style.

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 4 · 2024-04-18T14:09:01Z

bryanvargas answered Apr 18, '24

Try this path:

1. First have developer app ready with redirect URL and test merchant
2. access the link in Web Browser(redirect URL has to be the same as app redirect URL and it will prompt for a merchant login
{
                 {baseUrl}}/oauth/v2/authorize?client_id={
                 {appId}}&redirect_uri={
                 {redirectUrl}}
3. In the url there will be a code
EX: https://sandbox.dev.clover.com/?merchant_id={mId}&employee_id={emId}&client_id={appId}&code={authCode}
4. take note of the returned authCode and send post request to {
                 {baseUrl}}/oauth/v2/token

Payload:
{
   "client_id": "{
                 {appId}}",
   "client_secret": "{
                 {appSecret}}",
   "code": "{authCode}"
}
5. return output:
{
    "access_token": "{accessToken}",
    "access_token_expiration": 1702572139,
    "refresh_token": "clvroar-#####",
    "refresh_token_expiration": 1734106339
}

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question