Trouble Getting a Refresh Token

EVE Technology and Research Center Third Party Developers
1

I’m having trouble getting SSO to work with some spreadsheet stuff I wrote a while ago. I’m not able to get a refresh_token reproducing the steps I used to take; I’m getting a 401 on the post request. Below are a copypaste of my notes from when I wrote it.
Would anyone mind doing a once over and seeing if there’s an obvious issue?


/*
https://docs.esi.evetech.net/
https://developers.eveonline.com/blog/article/sso-to-authenticated-calls


So every once and a while you're going to have to manually redo the auth and get a new <refresh token>.  
It's been more trouble then it's worth automating it, so here's how to do it manually.

Note: need to do this in <~10 min as stuff expires.  The <refresh token> is semi-perm.

need:
<client id> from https://developers.eveonline.com/
<secret key> from https://developers.eveonline.com/
<authorization code> generated at step 2
<auth header value> generated at step 3

to get
<refresh token> from step 4

1. copypaste the following into the browser.  <client id> must be supplied

https://login.eveonline.com/oauth/authorize?response_type=code&redirect_uri=http://localhost/oauth-callback&client_id=<client id>&scope=esi-characters.read_standings.v1

2. save the return url.  It should look like
http://localhost/oauth-callback?code=OzPQ39RV9gSiebgdJwlqGG1KOrkS82M2Y_qPyG2WXMESgG9Sia69XpnjhsdC5i6r
the part after code= is the <authorization code>. 

3. to get <auth header value> base64 encode the <client id> and <secret key>

  in gsheets:
  var authHeaderValue = Utilities.base64Encode(<client id>+':'+<secret key>)
  Logger.log(authHeaderValue)

  in bash:
  echo -n "<client id>:<secret key>" | base64
 
4. make the following curl call from bash.  Fill in <auth header value>, <authorization code>

curl -XPOST -H "Content-Type:application/json" -H "Authorization:Basic <auth header value>" -d '{"grant_type":"authorization_code", "code":<authorization_code>}' https://login.eveonline.com/oauth/token

alternative version2025(some digging said that I should be using application/x-www-form-urlencoded, though I'm not sure if that actually changes anything) :

curl -X POST "https://login.eveonline.com/v2/oauth/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic $(echo -n "<client id>:<secret key>" | base64)" \
  -d "grant_type=authorization_code&code=<authorization code>" -v
  

5. it'll return something like 


{"access_token":"1|CfED8ALNx46Sy8FFiGBhFaZug5zN7wkm4Z/igvOk6U0Gbfs5Qbu7k0IZKKr0WZLd5tJyX8v7ptnwF9l3EE9TS/fThZTdGz1Mv0GTD46tbREUJiGoyRBc/BKUIkZ4bobRyCQ/pAFs4F9xRLfNmkXsghhJGul1CXdoPDu1Mz36VuUgdVjY","token_type":"Bearer","expires_in":1199,"refresh_token":"M1F_lAgfg3ZOabRyT4abVYgJ3vab-Rq0AJsQEmiPBYg"}

copypaste refresh_token to refreshToken

NOTE: this process needs to be done in ~<10 min, as the auth code expires
*/

The -v output of my curl command is:

~$ curl -X POST "https://login.eveonline.com/v2/oauth/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic $(echo -n "<client id>:<secret key>" | base64)" \
  -d "grant_type=authorization_code&code=<authorization code>" -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 172.64.145.52:443...
* Connected to login.eveonline.com (172.64.145.52) port 443 (#0)
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=IS; L=Reykjav�k; O=CCP ehf.; CN=*.eveonline.com
*  start date: Sep 13 00:00:00 2024 GMT
*  expire date: Sep 12 23:59:59 2025 GMT
*  subjectAltName: host "login.eveonline.com" matched cert's "*.eveonline.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
> POST /v2/oauth/token HTTP/1.1
> Host: login.eveonline.com
> User-Agent: curl/7.85.0
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Authorization: Basic NWU1MDI3MDA4ZGIxNDUxMTk0MmY1MTRhZGE2ZjU5Nzc6RTRrYkdWRUtRUTRGS3Q5R0Z5a1Z2Z3VN
> dmVWNTRscFVkaUZXcTdNNg==
> Content-Length: 99
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Fri, 28 Mar 2025 06:16:52 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< request-context: appId=cid-v1:2ccf88f2-29b9-460a-bc15-7c0b79926f61
< Set-Cookie: lang=en; expires=Sat, 28 Mar 2026 06:16:52 GMT; path=/; secure; samesite=lax; httponly
< content-security-policy: default-src 'self'; base-uri 'self'; object-src 'self'; img-src 'self' https: data: blob: filesystem:; font-src 'self' web-cdn.eveonline.com fonts.gstatic.com cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' web-cdn.eveonline.com hello.myfonts.net cdnjs.cloudflare.com; script-src 'self' 'nonce-XZifk5JUO0q5RhIhyFM28g==' connect.facebook.net az416426.vo.msecnd.net www.googletagmanager.com www.google-analytics.com static.cloudflareinsights.com 'report-sample' 'strict-dynamic' ; connect-src 'self' dc.services.visualstudio.com www.facebook.com www.google-analytics.com stats.g.doubleclick.net; frame-ancestors launcher.testeveonline.com launcher.eveonline.com; frame-src connect.facebook.net www.facebook.com www.googletagmanager.com; report-uri https://ccpgames.report-uri.com/r/t/csp/enforce
< www-authenticate: Basic
< x-powered-by: ASP.NET
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< cf-cache-status: DYNAMIC
< Set-Cookie: __cf_bm=NNnb3shMBDykN9yvIMucVuQE_NZLVCE0vea3anqQPpc-1743142612-1.0.1.1-x_cJEtR1SMK0uHr5v4T29jDbEoxGusW6BvIrcVOFR2zft.3ReC.uNXbLlKWUTraAMGM.21wwlxqtMFrAtg_IUq2TlvdG7OIZnVMyZnz.kTlx_k0LU1xssn4sHVNRAuIu; path=/; expires=Fri, 28-Mar-25 06:46:52 GMT; domain=.eveonline.com; HttpOnly; Secure; SameSite=None
< nel: {"report_to":"ccp"}
< report-to: {"group":"ccp","max_age":31536000,"endpoints":[{"url":"https://ccpgames.report-uri.com/a/t/g"}],"include_subdomains":true}
< Server: cloudflare
< CF-RAY: 9275004e4c45e677-DEN
< alt-svc: h3=":443"; ma=86400
< 
* Connection #0 to host login.eveonline.com left intact
2

You may not need a new token. Not sure they require it anymore.

Another thing to be aware of that no one is talking about, is that they recently updated their server certificate in late march 2025, and it no longer accepts some of the older SSL protocols. I think they want TLSv1.3. If you wrote something in an old .NET like VS2019, in all likely hood, it will simply stop working because of a failed SSL error. There is a way to fix it though. Took me a while to figure out how, but its working now.