Authentication Flow - Verify the authorization code

Hi guys, I’m trying to setup SSO in a php project, but I’m stuck at Verify the authorization code.

$code = $_GET[‘code’];

$clientID =
$secretKey =
$str = $clientID.$secretKey;

$url = ‘’;
$auth = base64_encode($str);

$curl = curl_init($url);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, array( 'Authorization: Basic '.$auth,
‘Content-Type: application/x-www-form-urlencoded’,
‘Content-Length: 0’,
$info = curl_getinfo($curl);

What I’m doing wrong?

Likely this:

Looking further, you are posting ‘grant_type=authorization_code&code=’.$code)); as a header and not the body.

I recommend using a library for oauth2, not rolling your own.

Any suggestion for a library?

I don’t write PHP, but there are a few out there that will likely also depend on you preference for HTTP client. I hear Guzzle is quite good:

Look for something that can reuse connections, preferably using HTTP/2.

1 Like

I used guzzle in all my php code. I found it best to learn guzzle by converting an already working php curl to it. At least thats how I learned it.

I learned it by converting to guzzle.


Ok, will have a look. Thanks

the way you concatenate secret and key is wrong, they need to be separated by a colon. This is part of my sso class (based on steve ronukens code) that works:

            $url = '';
            $header = 'Authorization: Basic '.base64_encode(ESI_ID.':'.ESI_SECRET);
            $fields_string = '';
            $fields = array(
                'grant_type' => 'authorization_code',
                'code' => $code,
            foreach ($fields as $key => $value) {
                $fields_string .= $key.'='.$value.'&';
            rtrim($fields_string, '&');
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_USERAGENT, ESI_USER_AGENT);
            curl_setopt($ch, CURLOPT_HTTPHEADER, array($header));
            curl_setopt($ch, CURLOPT_POST, count($fields));
            curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
            $result = curl_exec($ch);

Here is the entire class that also does verification and refreshing:

1 Like

Thank you


            $fields_string = '';
            $fields = array(
                'grant_type' => 'authorization_code',
                'code' => $code,
            foreach ($fields as $key => $value) {
                $fields_string .= $key.'='.$value.'&';
            rtrim($fields_string, '&');

This right there can be done better and in several ways. You don’t need to iterate over strings only to concatenate them and then remove trailing characters. You can use implode() to do it for you. For example:

$field_string = implode('&', $fields); // $fields as flat array

Another way of doing it is to use http_build_query() and let it do it for you including any character encoding that may be necessary. For example:

$field_string = http_build_query($fields, '', '&', PHP_QUERY_RFC1738);

However, because this isn’t a difficult string to build can you also just write this:

$field_string = 'grant_type=authorization_code&code='.$code;


By the way, when you want to post some PHP code here in the forum then you can write:

                  ... PHP code goes here ...

This will enable syntax highlighting for PHP.

1 Like

Thanks, will try http_build_query. A simple implode won’t do, as i need key value pairs.

I’ve only mentioned it to show there are other ways of doing it. You’d have to use a flat array and not an associative array for implode(). It only depends on the what is really necessary to get the job done. I myself use a simple concatenation like in the last example. But I went for JSON encoding. Not sure if that’s better or if URL-query syntax might be a little bit better.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.