How to implement Battlnet login on Android/iOs App?

Hi, kind of noob here. :sweat_smile:

I’m developing a Unity App and I want that my users can log to the App through their Battlnet account (cause I will let them pick their character later).

I don’t really know how to start, or even if it’s possible, but this is what I’ve done so far:

  • I’ve created on the Developer Portal my client, so now I have my client_id and my secret_key.

  • I use ZeShmoutt awesome repository to get Oauth token autorizations etc, and it works (I can get my characters).

My problem could be conceptual, as far as I know, to claim a token I need to claim it with a client_id, which is mine, cause I’m the developer and the only one who knows the couple of keys (client_id and secret_key). But then this token is only useful to get my own information, so my problem is: I need that others can put their e-mail and password from battlnet, and do the magic. But only exists one client_id, mine.

I don’t see any endpoint or workflow on the documentation that talks about specify other users e-mail or passwords…

What am I missing? Many thanks!

You’ll never manipulate other user’s email or password on your end, that is the whole point of OAuth2. See the authorization code flow for details.

Thanks for answering Schiller, but could you extend it? My real problem is that I don’t know how to approach this.

I’ve read the documentation and still have holes.

It seems that in some point I’ve to redirect from my App to a Battlnet website endpoint to do the register.
First question: which endpoint?

Then If the user log in this btnet redirected website I’ve to catch (?) the response of this login.
Second question: HOW?!"

Oh I see, sorry I did not understand your question before. I’ll try to break down a few things:

The client_id does not identify your account, it identifies your application. This is used by the OAuth2 provider (battle.net) to determine which application is requesting a user’s information. What identifies an account is the email/password combination and that part is handled by bnet.

This part is specified in the root document for the OAuth2 documentation:

You’ll need to redirect the user to something like this: https://us.battle.net/oauth/authorize?client_id=<YOUR_APP_ID>&redirect_uri=<YOUR_REDIRECT_URI>&response_type=code&scope=wow.profile&state=<SEE_OAUTH2_DOC>

The authorization_code is returned from bnet as a queryString parameter on a get request on your app redirect_uri.

Some observations:

You never use your clinent_secret on the client-side part of this interaction, only on a request from your server after you have the user’s authorization_code. This is specified on the cURL sample on this doc page.

If this is a desktop app you’ll probably need to use a custom URL protocol to actually intercept the authorization_code, this SO thread might be helpful.

1 Like

Wow! Thanks for the deep answer @Schiller!

But I’m still having some questions if you don’t mind :sweat_smile:

The workflow that you have described is to get the “access” token, so the application can interact with it.

But this:

Where and when should be done?

The authorization_code returned is not linked with the blizzard account of the user, cause the user never login in this workflow on to the battlnet account, doesn’t it?

I’m feeling that I’m missing something, right?

Thanks for your continuous support Schiller!

What I mean is you don’t ever handle the email/password on your end. You can’t, for instance, create a login form on your app. You need to open up a web browser on the battle.net login page, this is done with the link I mentioned:

https://us.battle.net/oauth/authorize?client_id=<YOUR_APP_ID>&redirect_uri=<YOUR_REDIRECT_URI>&response_type=code&scope=wow.profile&state=<SEE_OAUTH2_DOC>

This is what you see on features like login with battle.net, even if you have a desktop/mobile app you still need a web browser in order to have access to a player’s account data. Like when you want to add a bot to discord and discord opens up a browser for you to authorize the bot to access your server.

Yes it is, however this is just a temporary token, you still need to exchange this code to an access_token and that access token will have access to the user’s account. This is done by making this request.

Many many Thanks again @Schiller to keep helping me, I’m learning a lot thanks to you! Fiiiiinally I think I get the concept, now my problem is a JSON error message. I’ll break down my thoughs so you can tell where I’m failing:

My application sends the user to the:

https://us.battle.net/oauth/authorize?client_id=<YOUR_APP_ID>&redirect_uri=<YOUR_REDIRECT_URI>&response_type=code&scope=wow.profile&state=<SEE_OAUTH2_DOC>

HERE is where the user “log in” with battlnet (this was my first brain-barrier), when the user authorize the app, my redirect URI have this structure:

<YOUR_REDIRECT_URI>?code=<authorization_code>

Now that I’ve this authorization_code, I can use it to request the access_token.

SO FAR SO GOOD

So I open my cmd and try to do this exchange to get the access_token as documentation says. To achieve it I paste this on my cmd:

curl -X POST https://eu.battle.net/oauth/token -u <YOUR_APP_ID>:<YOUR_SECRET> -d redirect_uri=<YOUR_REDIRECT_URI> -d scope=wow.profile -d grant_type=authorization_code -d code=<authorization_code>

BUT The response is the following JSON the first time I try it:
{"error":"invalid_grant","error_description":"Redirect URI mismatch."}

And this is the response at second attempt:
{"error":"invalid_grant","error_description":"Invalid authorization code: <authorization_code>"}

My URI is a simple index.html hosted in firebase with nothing else than a href to redirect the user, as I said at the begining.

What can I do now?

You must use the exact same redirect URI you used in your first call. This time it won’t actually be used for a redirect, but just to validate the authorization_code.

Note it is just the redirect_uri, not the whole URL with query_strings. Just the value you passed on <YOUR_REDIRECT_URI>, and this must match the ones you registered on your application at https://develop.battle.net/access.

The authorization_code is a time-gated one time use token. There is no second chance.