Discord oauth2 with php

Question

I'm trying to create a sign in system using disocrd's oauth2.

This is my code:

  <?php
    ini_set('display_errors', 1);
    ini_set('display_startup_errors', 1);
    ini_set('max_execution_time', 300); //300 seconds = 5 minutes. In case if your CURL is slow and is loading too much (Can be IPv6 problem)
    
    error_reporting(E_ALL);
    
    define('OAUTH2_CLIENT_ID', 'XXXXXXXXXXXXXXXXXXXXXX'); //Your client Id
    define('OAUTH2_CLIENT_SECRET', 'XXXXXXXXXXXXXXXXXXXXXX'); //Your secret client code
    
    $authorizeURL = 'https://discordapp.com/api/oauth2/authorize';
    $tokenURL = 'https://discordapp.com/api/oauth2/token';
    $apiURLBase = 'https://discordapp.com/api/users/@me';
    
    session_start();
    
    // Start the login process by sending the user to Discord's authorization page
    if(get('action') == 'login') {
    
      // Redirect the user to Discord's authorization page
      header('Location: https://discord.com/api/oauth2/authorize?client_id=873917693953191946&redirect_uri=http%3A%2F%2Fbouncerbot.go-atcode.com%2Fauth.php&response_type=code&scope=identify%20email%20connections%20guilds%20gdm.join%20guilds.join%20rpc%20rpc.notifications.read%20rpc.voice.read%20rpc.voice.write');
      die();
    }
    
    
    // When Discord redirects the user back here, there will be a "code" and "state" parameter in the query string
    if(get('code')) {
    
      $token = apiRequest($tokenURL, array(
    "grant_type" => "authorization_code",
    'client_id' => 'XXXXXXXXXXXXXXXX', //censored
    'client_secret' => 'XXX-XXXXXXXXXXXXXXXXXXX',
    'redirect_uri' => 'http://bouncerbot.go-atcode.com/auth.php',
    'code' => get('code')
  ));
      $logout_token = $token->access_token;
      $_SESSION['access_token'] = $token->access_token;
    
    
      header('Location: ' . $_SERVER['PHP_SELF']);
    }
    ?><script> console.log(<? echo $user->username?> )</script><?
    if(session('access_token')) {
      $user = apiRequest($apiURLBase);
    
      echo '<h3>Logged In</h3>';
      echo '<h4>Welcome, ' . $user->username . '</h4>';
      echo '<pre>';
        print_r($user);
      echo '</pre>';
    
    } else {
      echo '<h3>Not logged in</h3>';
      echo '<p><a href="?action=login">Log In</a></p>';
    }
    
    
    if(get('action') == 'logout') {
      // This must to logout you, but it didn't worked(
    
      $params = array(
        'access_token' => $logout_token
      );
    
      // Redirect the user to Discord's revoke page
      header('Location: https://discordapp.com/api/oauth2/token/revoke' . '?' . http_build_query($params));
      die();
    }
    
    function apiRequest($url, $post=FALSE, $headers=array()) {
      $ch = curl_init($url);
      curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    
      $response = curl_exec($ch);
    
    
      if($post)
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post));
    
      $headers[] = 'Accept: application/json';
    
      if(session('access_token'))
        $headers[] = 'Authorization: Bearer ' . session('access_token');
    
      curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
      $response = curl_exec($ch);
      return json_decode($response);
    }
    
    function get($key, $default=NULL) {
      return array_key_exists($key, $_GET) ? $_GET[$key] : $default;
    }
    
    function session($key, $default=NULL) {
      return array_key_exists($key, $_SESSION) ? $_SESSION[$key] : $default;
    }
    
    ?>

The problem is that when I go to authorize on discord and then discord redirects me back to auth.php, the token is not fetched and therefore remains:

Not logged in Log In

I couldn't figure out the cause of the problem so I asked a question. This is the login page: http://bouncerbot.go-atcode.com/auth.php

Answer 1

1st) Redirection is working fine because you are using

'redirect_uri' => 'http://bouncerbot.go-atcode.com/auth.php',

That's why to redirect to auth.php

2nd) You have to define the same redirection URL on discord application like this:

3rd) Create a code generation page and redirection page, you can either both on same page or you can create both seprate pages.

As I am testing with creating 2 pages

1. The request for code (disocrd.php)

 <?php

    define('OAUTH2_CLIENT_ID', '882143362046640112');

    $redirectURL = 'https://localhost/test_project/disocrd_responce.php';

    $params = array(
        'client_id' => OAUTH2_CLIENT_ID,
        'redirect_uri' => $redirectURL,
        'response_type' => 'code',
        'scope' => 'identify guilds'
    );

    // Redirect the user to Discord's authorization page
    header('Location: https://discord.com/api/oauth2/authorize' . '?' . http_build_query($params));
    die();
    ?>

After hit this page, the page will auto-redirect to https://localhost/test_project/disocrd_responce.php with code

2. Generate token by using code (disocrd_responce.php)

<?php

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
ini_set('max_execution_time', 300); //300 seconds = 5 minutes. In case if your CURL is slow and is loading too much (Can be IPv6 problem)

error_reporting(E_ALL);

$code = isset($_REQUEST['code']) ? $_REQUEST['code'] : '';

define('OAUTH2_CLIENT_ID', '882143362046640112');
define('OAUTH2_CLIENT_SECRET', 'hYvpAl_heUJNC0veaoraMxNhJL2fgHVU');

$authorizeURL = 'https://discord.com/api/oauth2/authorize';
$tokenURL = 'https://discord.com/api/oauth2/token';
$redirectURL = 'https://localhost/test_project/disocrd_responce.php';

if(get('code')) {

  session_start();

  // Exchange the auth code for a token
  $token = apiRequest($tokenURL, array(
    "grant_type" => "authorization_code",
    'client_id' => OAUTH2_CLIENT_ID,
    'client_secret' => OAUTH2_CLIENT_SECRET,
    'redirect_uri' => $redirectURL,
    'code' => get('code')
  ));
  $logout_token = $token->access_token;
  $_SESSION['access_token'] = $token->access_token;

  echo "<pre>"; print_r($token); exit; // get token properly
// header('Location: ' . $_SERVER['PHP_SELF']);
}

function apiRequest($url, $post=FALSE, $headers=array()) {
  $ch = curl_init($url);
  curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

  $response = curl_exec($ch);


  if($post){
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post));
  }
  $headers[] = 'Accept: application/json';

  if(isset($_SESSION['access_token']))
    $headers[] = 'Authorization: Bearer ' . $_SESSION['access_token'];

  curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

  $response = curl_exec($ch);
  return json_decode($response);
}

function get($key, $default=NULL) {
  return array_key_exists($key, $_GET) ? $_GET[$key] : $default;
}

?>

When I print tokens like this:

echo "<pre>"; print_r($token); exit;

We got token properly like this:

 stdClass Object
 (
   [access_token] => 'FBLOYotKRxe0uO7KJcS8mfce5z9YEE'
   [expires_in] => 604800
   [refresh_token] => FxlsNH06OHcbMCJlAZhWzbi4DsIjUO
   [scope] => identify guilds
   [token_type] => Bearer
 )

Note: I have a change customer id and token by security point of view