Discord oauth2 example PHP

index.php

<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
ini_set('max_execution_time', 300); //300 seconds = 5 minutes. In case if your CURL is slow and is loading too much (Can be IPv6 problem)

error_reporting(E_ALL);

define('OAUTH2_CLIENT_ID', '1234567890');
define('OAUTH2_CLIENT_SECRET', 'verysecretclientcode');

$authorizeURL = 'https://discord.com/api/oauth2/authorize';
$tokenURL = 'https://discord.com/api/oauth2/token';
$apiURLBase = 'https://discord.com/api/users/@me';
$revokeURL = 'https://discord.com/api/oauth2/token/revoke';

session_start();

// Start the login process by sending the user to Discord's authorization page
if(get('action') == 'login') {

  $params = array(
    'client_id' => OAUTH2_CLIENT_ID,
    'redirect_uri' => 'https://yoursite.location/ifyouneedit',
    'response_type' => 'code',
    'scope' => 'identify guilds'
  );

  // Redirect the user to Discord's authorization page
  header('Location: https://discord.com/api/oauth2/authorize' . '?' . http_build_query($params));
  die();
}


// When Discord redirects the user back here, there will be a "code" and "state" parameter in the query string
if(get('code')) {

  // Exchange the auth code for a token
  $token = apiRequest($tokenURL, array(
    "grant_type" => "authorization_code",
    'client_id' => OAUTH2_CLIENT_ID,
    'client_secret' => OAUTH2_CLIENT_SECRET,
    'redirect_uri' => 'https://yoursite.location/ifyouneedit',
    'code' => get('code')
  ));
  $logout_token = $token->access_token;
  $_SESSION['access_token'] = $token->access_token;


  header('Location: ' . $_SERVER['PHP_SELF']);
}

if(session('access_token')) {
  $user = apiRequest($apiURLBase);

  echo '<h3>Logged In</h3>';
  echo '<h4>Welcome, ' . $user->username . '</h4>';
  echo '<pre>';
    print_r($user);
  echo '</pre>';

} else {
  echo '<h3>Not logged in</h3>';
  echo '<p><a href="?action=login">Log In</a></p>';
}


if(get('action') == 'logout') {
  // This should logout you
  logout($revokeURL, array(
    'token' => session('access_token'),
    'token_type_hint' => 'access_token',
    'client_id' => OAUTH2_CLIENT_ID,
    'client_secret' => OAUTH2_CLIENT_SECRET,
  ));
  unset($_SESSION['access_token']);
  header('Location: ' . $_SERVER['PHP_SELF']);
  die();
}

function apiRequest($url, $post=FALSE, $headers=array()) {
  $ch = curl_init($url);
  curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);

  $response = curl_exec($ch);


  if($post)
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post));

  $headers[] = 'Accept: application/json';

  if(session('access_token'))
    $headers[] = 'Authorization: Bearer ' . session('access_token');

  curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

  $response = curl_exec($ch);
  return json_decode($response);
}

function logout($url, $data=array()) {
    $ch = curl_init($url);
    curl_setopt_array($ch, array(
        CURLOPT_POST => TRUE,
        CURLOPT_RETURNTRANSFER => TRUE,
        CURLOPT_IPRESOLVE => CURL_IPRESOLVE_V4,
        CURLOPT_HTTPHEADER => array('Content-Type: application/x-www-form-urlencoded'),
        CURLOPT_POSTFIELDS => http_build_query($data),
    ));
    $response = curl_exec($ch);
    return json_decode($response);
}

function get($key, $default=NULL) {
  return array_key_exists($key, $_GET) ? $_GET[$key] : $default;
}

function session($key, $default=NULL) {
  return array_key_exists($key, $_SESSION) ? $_SESSION[$key] : $default;
}

?>

i was getting Trying to get property 'access_token' of non-object. my problem is: i don't have a ssl auto assigned, i'm using cloudflare so my request doesn't worked, i've fixed it adding curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); later of curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); and sorry my bad english i'm brazilian, good luck to everyone <3

Yeah, this one fixed it for me.

    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

how do I get the person unable to access the page without logging in?

What do you mean?

how do I get the person unable to access the page without logging in?

check if the user is logged in. if not die() and return to the login page

I log in with Discord, but it still doesn't show logged in
EDIT: FIXED

I log in with Discord, but it still doesn't show logged in EDIT: FIXED

Hi bro,
can you explain how you did it please? I would like the user to stay logged in too if possible.And also I have "you are being rate limit" after many f5 is it normal? why i would like to know how to stay connected

Logout doesn't work unless you move
session_start();
from line 28 up to 15 (above the logout part). I also recommend adding something like
echo '<p><a href="?action=logout">Log out</a></p>"';
at line 72 so you don't have to type "?action=logout" to the URL manually.

Helpful guide to getting started though. Thanks for sharing.

Logout doesn't work unless you move session_start(); from line 28 up to 15 (above the logout part). I also recommend adding something like echo '<p><a href="?action=logout">Log out</a></p>"'; at line 72 so you don't have to type "?action=logout" to the URL manually.

Helpful guide to getting started though. Thanks for sharing.

That only works because your removing the session. What means login will be removed upon refresh as it’s not saved.

if I remember correctly it’s something to do with the end point he’s using to logout. Might have to do a little bit of fiddling with that.
You could also try just setting $_SESSION['access_token'] to null

the logout action is written twice at line 16 and line 79
the one at line 16 should be removed

FastCGI sent in stderr: "PHP message: PHP Warning: Undefined property: stdClass::$access_token in /home/sir/dev/php-esports/api/redirect.php on line 17