Lord Krex: In my request I'm sending is:
"$url= 'auth.gog.com/token?client_id='+ $clientId + '&client_secret='+ $clientSecret +'&grant_type='+ $grantType +'&code=' + $code + '&redirect_uri=' + $redirect_uri;"
So all my variables have the required info... I got the code via my browser as recommended via the api docs.
But what am I using for redirect_uri? Should it be gameplay.gog.com? GOG API docs say to use the same uri used in the auth method which was
https://embed.gog.com/on_login_success?origin=client is that what I should use?
If so I'm not sure what to do with the response? Do I need send just the access token along with my request to gameplay.gog.com? The docs are quite clear on how that should look / work. That's where I'm confused.
I think the redirect_uri is only needed if you integrate the whole login procedure into your own service. You tell the login server where to forward you next after the login has succeeded. If you are not using a browser to do the login you can even ignore this. Just put in any valid URI.
What is important is the JSON response you are getting. From the documentation:
{
"expires_in": 3600,
"scope": "",
"token_type": "bearer",
"access_token":"XXX",
"user_id": "48628349957132247",
"refresh_token": "YYY",
"session_id": "6354900816570477251"
}
I have shortened the tokens to XXX and YYY, these strings are of course longer.
If you have just gotten the token in $response from the cURL call simply make an object out of it and add a new property for the token expiration.
$OAUTH = json_decode($response);
$OAUTH->expire_time = time() + $OAUTH->expires_in - 60;
expires_in is in seconds, so the token will expire in 1 hour. That is why I have set the expiration to 59 minutes after the current time. Before doing any request to an URL that requires a token you must check the current time() against $OAUTH->expire_time. If time() > $OAUTH->expire_time then you must refresh the token.
If the token is still valid, using it is pretty simple. You just need to add an Authorization header to your cURL calls. The header looks like this:
$authHeader = 'Authorization: Bearer ' . $OAUTH->access_token;
Note that there is a space after the : and after 'Bearer'! And that's how you use it:
$url = "any valid GOG API url";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HTTPHEADER, [$authHeader]);
$response = curl_exec($ch);
If the token has already become invalid you need to refresh it by calling this URL:
$url = "
https://auth.gog.com/token?client_id=46899977096215655&client_secret=9d85c43b1482497dbbce61f6e4aa173a433796eeae2ca8c5f6129f2dc4de46d9&grant_type=refresh_token&refresh_token=" . $OAUTH->refresh_token;
EDIT: And that is why cutting and pasting code is never a good idea. The forum shows every ampersand in the URL as &_amp_; even though it is just an &.
The response will be a JSON with a new token. Treat it just like a new token.
I would also recommend saving the token to the harddrive:
file_put_contents(__DIR__ . "/OAUTH.json", json_encode($OAUTH, JSON_PRETTY_PRINT));
Because according to my experience the refresh token never times out. Even after several months it was still valid. So as long as you have a valid refresh token you never have to go through the login procedure again.
Hope this helps.
P.S.: Yes, the above examples are without error checking to illustrate the principle. Please always check if cURL calls succeed, if the result you received is as expected (e.g. a valid JSON), do retries on timeouts, etc.
