Skip to content

Instantly share code, notes, and snippets.

@Vap0r1ze
Last active April 7, 2024 14:54
Show Gist options
  • Save Vap0r1ze/776b0f841ce01fc2b0801933b79960df to your computer and use it in GitHub Desktop.
Save Vap0r1ze/776b0f841ce01fc2b0801933b79960df to your computer and use it in GitHub Desktop.
Discord OAuth2 Flow

Discord OAuth2

Step 1

You: Redirect User to https://discordapp.com/api/oauth2/authorize

Query Params
name value
client_id Your application's Client ID
scope A list of scopes, delimited by spaces
redirect_uri The uri to send the user after authorization

Step 2

Discord: Redirect User to redirect_uri

Query Params
name value
code Temporary code for requesting access token

Step 3

You: POST https://discordapp.com/api/oauth2/token

"Form Data" means the body must be sent as application/x-www-form-urlencoded

Form Data
name value
client_id Your application's client id
client_secret Your application's client secret
code Temporary code for requesting access token
grant_type "authorization_code"
redirect_uri The uri to send the user after authorization
Response JSON Data
name value
access_token Token used to make api requests as user
refresh_token Token used to get a new access token
expires_in Expiry time relative to now in seconds
scope List of scopes the access token has

Refreshing an access token

You: POST https://discordapp.com/api/oauth2/token

Form Data
name value
client_id Your application's client id
client_secret Your application's client secret
refresh_token Refresh token for desired user
grant_type "refresh_token"
@Vap0r1ze
Copy link
Author

Vap0r1ze commented Sep 7, 2020

Hi,

Do you know if the refresh_token can be expire or if it can be alive definitively ?
If it can be expire, how long ago after his creation ?

Thanks in advance.

@valentin-b99 the refresh token only expires when the user unauthorizes the application through their settings

@KenCOCOCO
Copy link

@valentin-b99 the refresh token only expires when the user unauthorizes the application through their settings

The refresh token expires once the "expires_in" parameter has passed. This is usually 7 days.

@Vap0r1ze
Copy link
Author

Vap0r1ze commented Oct 10, 2020

The refresh token expires once the "expires_in" parameter has passed. This is usually 7 days.

@KenCOCOCO This is untrue. The access token is what expires when the expires_in parameter has passed; the refresh token is used to refresh the access token — agnostic of if the access token has expired.

@ascooper57
Copy link

ascooper57 commented Mar 1, 2021

Step 3, calling from axios, tried passing data as depicted below and JSON.stringified() always get a 400 error. Perhaps there are headers required?

{
"method": "POST",
"url": "https://discordapp.com/api/oauth2/token",
"data": {
"client_id": "#############6944",
"client_secret": "**********************************",
"code": "hOA6snQVHePUKB9eyjq2Bxf6CDusfz",
"grant_type": "authorization_code",
"redirect_uri": "https://stardust.auth.us-east-1.amazoncognito.com/oauth2/idpresponse"
}
}

2021-03-01T23:36:58.188Z ERROR Token for (hOA6snQVHePUKB9eyjq2Bxf6CDusfz, j349qxcnz5.execute-api.us-east-1.amazonaws.com/Prod, Request failed with status code 400) failed: %s

================================================================================================

const params = {
method: 'POST',
url: ${urls.oauthToken},
data: {
client_id: DISCORD_CLIENT_ID,
client_secret: DISCORD_CLIENT_SECRET,
code: code,
grant_type: 'authorization_code',
redirect_uri: COGNITO_REDIRECT_URI,
},
};
const response = axios(params).then(check)

@ascooper57
Copy link

The solution was to use qs to stringify and add the header:

    headers: {
      'content-type': 'application/x-www-form-urlencoded;charset=utf-8',
    },

@Vap0r1ze
Copy link
Author

Vap0r1ze commented Mar 2, 2021

For future reference, "Form Data" means the body must be sent as application/x-www-form-urlencoded

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment