OAuth2 client credentials implementations

Schiller-1822 · August 3, 2019, 6:15pm

This is just a collection of functions written in different languages to create an access_token using your client credentials. It is meant to help people who are starting now with the API.

There are very good community created libraries that already deal with this OAuth flow and all the endpoint requests. Use this only if you want to create your own implementation or understand better how it works.

PHP

function createAccessToken($apiKey, $apiSecret, $region = 'us') {
  $curl_handle = curl_init();
  try {
    curl_setopt($curl_handle, CURLOPT_URL, "https://$region.battle.net/oauth/token");
    curl_setopt($curl_handle, CURLOPT_POSTFIELDS, ['grant_type' => 'client_credentials']);
    curl_setopt($curl_handle, CURLOPT_USERPWD, $apiKey . ':' . $apiSecret);
    curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl_handle, CURLOPT_HTTPHEADER, ['Content-Type: multipart/form-data']);
    $response = curl_exec($curl_handle);
    $status = curl_getinfo($curl_handle, CURLINFO_HTTP_CODE);
      
    if ($status !== 200) {
      throw new Exception('Failed to create client_credentials access token.');
    }
    return json_decode($response)->access_token;
  } finally {
    curl_close($curl_handle);
  }
}

GScript (Google docs/spreadsheets)

function createAccessToken(region, ApiKey, ApiSecret) {
  var formData = {
    'grant_type': 'client_credentials'
  };

  var options = {
    'method': 'post',
    'payload': formData,
    'headers': {
      'Authorization': 'Basic ' + Utilities.base64Encode(ApiKey + ':' + ApiSecret)
    }
  };
  var url = 'https://' + region + '.battle.net/oauth/token';
  var response = UrlFetchApp.fetch(url, options);
  return JSON.parse(response.getContentText()).access_token;
}

Ruby

def create_access_token(client_id, client_secret, region = 'us')
  uri = URI.parse("https://#{region}.battle.net/oauth/token")

  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true

  request = Net::HTTP::Post.new(uri.path)
  request.basic_auth(client_id, client_secret)
  request['Content-Type'] = 'application/x-www-form-urlencoded'
  request.set_form_data grant_type: 'client_credentials'

  response = http.request(request)
  JSON.parse(response.body)['access_token']
end

Go

type Token struct {
	AccessToken string `json:"access_token"`
	TokenType   string `json:"token_type"`
	ExpiresIn   int    `json:"expires_in"`
	Scope       string `json:"scope"`
}

func CreateAccessToken(clientID string, clientSecret string, region string) string {
	requestURL := fmt.Sprintf("https://%s.battle.net/oauth/token", region)
	body := strings.NewReader("grant_type=client_credentials")

	request, err := http.NewRequest(http.MethodPost, requestURL, body)
	if err != nil {
		log.Fatal(err)
	}
	request.SetBasicAuth(clientID, clientSecret)
	request.Header.Set("Content-Type", "application/x-www-form-urlencoded")

	httpClient := new(http.Client)
	response, err := httpClient.Do(request)
	if err != nil {
		log.Fatal(err)
	}
	defer response.Body.Close()

	responseData, err := ioutil.ReadAll(response.Body)
	var tokenData Token
	err = json.Unmarshal(responseData, &tokenData)
	if err != nil {
		log.Fatal(err)
	}
	return tokenData.AccessToken
}

RIDDICK-1658 · August 6, 2019, 6:27am

Regarding the PHP

curl_setopt($curl_handle, CURLOPT_HTTPHEADER, [‘Content-Type: application/x-www-form-urlencoded’]);

you’ll need to set the content type to multipart/form-data if you are going to use an array otherwise use a string for the CURLOPT_POSTFIELDS; grant_type=client_credentials, other than that very helpful

Schiller-1822 · August 11, 2019, 2:30am

Nice catch, I’ve been away from PHP until few weeks ago. However the code above did work because the PHP docs says if you pass an array, the header is automatically set to multipart/form-data

I’m updating the code above as this was not my intention to let PHP guess the header for me.

Schiller-1822 · December 17, 2019, 3:52pm

Python

import requests
from requests.auth import HTTPBasicAuth


def create_access_token(client_id, client_secret, region = 'us'):
    url = "https://%s.battle.net/oauth/token" % region
    body = {"grant_type": 'client_credentials'}
    auth = HTTPBasicAuth(client_id, client_secret)

    response = requests.post(url, data=body, auth=auth)
    return response.json()

Schiller-1822 · January 16, 2020, 2:19am

NodeJS

function createAccessToken(apiKey, apiSecret, region = 'us') {
    return new Promise((resolve, reject) => {
        let credentials = Buffer.from(`${apiKey}:${apiSecret}`);

        const requestOptions = {
            host: `${region}.battle.net`,
            path: '/oauth/token',
            method: 'POST',
            headers: {
                'Authorization': `Basic ${credentials.toString('base64')}`,
                'Content-Type': 'application/x-www-form-urlencoded'
            }
        };

        let responseData = '';

        function requestHandler(res) {
            res.on('data', (chunk) => {
                responseData += chunk;
            });
            res.on('end', () => {
                let data = JSON.parse(responseData);
                resolve(data);
            });
        }

        let request = require('https').request(requestOptions, requestHandler);
        request.write('grant_type=client_credentials');
        request.end();

        request.on('error', (error) => {
            reject(error);
        });
    });
}

Arlether-1417 · April 17, 2020, 7:43pm

I’m trying to get connected to the API for a school project (data visualization) but the project has to be with R. I have my client set-up, but can’t figure out how to get the access token. Can you assist?

Schiller-1822 · April 17, 2020, 9:10pm

~~Unfortunately no.~~

~~You might wanna try asking around the Community Discord Server. Maybe someone over there can help you.~~

EDIT: I thought it would take longer but it was actually easier than I anticipated. Here is a working function for retrieving the token:

R

require("httr")
require("jsonlite")

createAccessToken <- function(apiKey, apiSecret, region = "us") 
{
  response <- POST(
    paste("https://", region, ".battle.net/oauth/token", sep = ""),
    authenticate(apiKey, apiSecret),
    body = list(grant_type="client_credentials")
  )
  return(fromJSON(content(response, "text"), flatten = TRUE))
}

Erorus-11776 · April 17, 2020, 9:11pm

This page on accessing RESTful APIs using R might help:
hxxps://www.programmableweb.com/news/how-to-access-any-restful-api-using-r-language/how-to/2017/07/21

Arlether-1417 · April 18, 2020, 1:23am

Thank you both! Now if I could get past the

Client error: (403) Forbidden

Problem…

Wain-1779 · August 25, 2020, 12:48pm

Thanks for these, Schiller

I was wondering if you had a PHP example for requesting Battle.net login/authorization for a user. I was trying tonight but had no luck.

I was trying to set it up using curl, as follows:

$curl_handle = curl_init();
try
{
  curl_setopt($curl_handle, CURLOPT_URL, "https://{$realm}.battle.net/oauth/authorize");
  curl_setopt($curl_handle, CURLOPT_POSTFIELDS, ['scope' => 'wow.profile']);
  curl_setopt($curl_handle, CURLOPT_POSTFIELDS, ['redirect_uri' => '<my redirect url>']);
  curl_setopt($curl_handle, CURLOPT_POSTFIELDS, ['response_type' => 'code']);
  curl_setopt($curl_handle, CURLOPT_USERPWD, $ClientID . ':' . $ClientSecret);
  curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($curl_handle, CURLOPT_HTTPHEADER, ['Content-Type: multipart/form-data']);
  $response = curl_exec($curl_handle);
  $status = curl_getinfo($curl_handle, CURLINFO_HTTP_CODE);
  
  if ($status !== 200)
  {
    throw new Exception('Failed to get Battle.net authorization.');
  }
  return;
}
finally
{
  curl_close($curl_handle);
}

Schiller-1822 · August 25, 2020, 1:51pm

Yes, I originally wrote this function for Feral’s php lib: blizzard_api/request_handler.php · master · David Matthew / Blizzard API PHP · GitLab

There are also helper functions for generating the sign in with bnet link in the same file.

Wain-1779 · August 25, 2020, 3:03pm

Thank you! I’ll check it out and can hopefully adapt it to my site

Since I already have a lot of auth code in my pages I’d prefer to just adapt it rather than switch entirely to another lib, if I can.

Schiller-1822 · August 25, 2020, 4:24pm

I do not recommend the switching either, it is just a reference for PHP code. Hit me on discord if you need any help.

Wain-1779 · August 28, 2020, 8:27am

Just checking, is it ok to include your client ID nakedly in the URL you’re using to request authorization? I know the Client ID isn’t the sensitive part, but I’ve never done it that way and wanted to be sure.

Schiller-1822 · August 28, 2020, 12:55pm

You must, client ID is what identify which application is trying to authorize an user. The client secret and access_token on the other hand should never leak to the client side.

Wain-1779 · August 28, 2020, 3:44pm

Thanks I noticed the authorization token is returned by Blizzard as part of the URL too but I assume that’s ok and I’m not doing it wrong.

Schiller-1822 · August 28, 2020, 3:50pm

The authorization code must be exchanged by your server combined with your secret to actually yield an access_token. The authorization code on itself gives no access to any resource so it is safe.

Wain-1779 · September 6, 2020, 12:07am

All my changes are now public in WCM and apparently working as intended I still keep expecting an avalanche of bug reports though

I just wanted to say thanks again for all your help. Without it, I would have taken weeks or months of trial and error to get it running.

AshLeeny-2583 · October 23, 2020, 11:54am

VB NET

    '//Add RestSharp to your nuget package manager
    '//imports RestSharp at the top
    '//Set api key
    Dim api_key As String = "{your api key here}"
    Dim api_secret As String = "{your api secret here}"
    Dim region As String = "EU"
    '//encode the creds
    Dim encoded As String = System.Convert.ToBase64String(System.Text.Encoding.GetEncoding("ISO-8859-1").GetBytes(api_key + ":" + api_secret))
    Dim Rclient As New RestClient("https://" & region & ".battle.net/oauth/token")
    Rclient.Timeout = -1
    Dim rRequest As New RestRequest(Method.POST)
    rRequest.AddParameter("grant_type", "client_credentials")
    rRequest.AddHeader("Authorization", "Basic " & encoded)
    rRequest.AddHeader("Content-Type", "application/x-www-form-urlencoded")
    Dim rResponse As IRestResponse = Rclient.Execute(rRequest)
    '//write out the access token
    MsgBox(rResponse.Content)

Hope this helps someone who needs it. Can be converted to C# Easily for any .NET people out there.

Obviously the links are butchered as I cannot post links here, so just remove the spacing.

Schiller-1822 · November 10, 2020, 6:03pm

Pascal

Tested with Lazarus/Freepascal and probably Delphi. Some configuration of the proper OpenSSL libraries might be required.

function TForm1.CreateAccessToken(const ClientID, ClientSecret: string): string;
var
  HTTP: TIdHttp;
  SSLHandler: TIdSSLIOHandlerSocketOpenSSL;
  FormData: TIdMultipartFormDataStream;
  Response: TStringStream;
begin
  HTTP := TIdHttp.Create(nil);
  FormData := TIdMultipartFormDataStream.Create;
  Response := TStringStream.Create('');
  SSLHandler := TIdSSLIOHandlerSocketOpenSSL.Create;
  try
    try
      // SSL support
      SSLHandler.SSLOptions.SSLVersions := [sslvTLSv1_1, sslvTLSv1_2];
      HTTP.IOHandler := SSLHandler;

      // Authorization header
      HTTP.Request.BasicAuthentication := True;
      HTTP.Request.UserName := ClientID;
      HTTP.Request.Password := ClientSecret;

      // Body payload
      FormData.AddFormField('grant_type', 'client_credentials');

      // Excecute the request
      HTTP.Post('https://us.battle.net/oauth/token', FormData, Response);

      Result := Response.DataString;
    except
      on E:Exception do
        // Handle exceptions or
        raise;
    end
  finally
    Response.Free;
    FormData.Free;
    SSLHandler.Free;
    HTTP.Free;
  end
end;