Hello, I am trying to deal with authorization through various services, I started with VKontakte, I went through many forums and went through almost the entire algorithm, but I had problems confirming the user's validity (the moment you need to send the user token and 2 parameters from the application). So far, I'm trying to check all this out through a browser. My actions:

1) https://oauth.vk.com/access_token?client_id=ИД_МоегоПриложения_ВК&client_secret=Секретный_Ключ_Моего_Приложения&v=5.37&grant_type=client_credentials . A normal json of this type is returned:

 {"access_token":"тутДлинныйТокенМоегоПриложения","expires_in":0}

2) Without updating anything, I am authorizing a user (only in a new tab) https://oauth.vk.com/authorize?client_id=ИД_Моего_Приложения&redirect_uri=blank.html
Now the URL is returned in the browser of this type https://oauth.vk.com/blank.html#code=Тут_Токен_Авторизованного_Пользователя it is not long, here FaceBook also returns the user ID, doesn’t it (does not return the ID?)

3) Without updating anything, just by opening a new tab, I check the user's authorization in my application for such a link (all data is taken from the answers of previous links)
https://api.vk.com/method/secure.checkToken?token=Из_2го_пункта_Токен_Авторизованного_Пользователя&v=5.37&client_secret=Секретный_Ключ_Приложения&access_token=Из_1го_Пункта_JSON_объекта
In response, the JSON object comes with an error about the disability of the token, as I understood the token, which was passed as the very first argument

 {"error":{"error_code":15,"error_msg":"Access denied: Incorrect token invalid_token","request_params":[{"key":"oauth","value":"1"}, {"key":"method","value":"secure.checkToken"}, {"key":"token","value":"токен пользователя"},{"key":"v","value":"5.37"}, {"key":"client_secret","value":"секретный ключ моего приложения"}]}}

I noticed that when updating the first 2 points, the token of the application or user is constantly changing, so I specified that I did not update anything. I check it all in the browser, but I think the effect will be similar. Please help me what am I doing wrong? I found some kind of forum, the problem was there that I had to add scoupe=offline to the link, but this did not help me.

  • Why in the third step in the request you specify the version of the API somewhere in the middle? According to the documentation, it is indicated at the end. And why is there a client_secret? As far as I understand you need to specify only the name of the method, the parameter token and access_token. Try to request secure.checkToken? Token = From_2go_point_Token_Authorized_User & access_token = From_1go_Point_JSON_object & v = 5.37 - hunter
  • Without client_secret, it gives the error "User authorization failed: you should pass client_secret param to use secure methods", so, it turns out, you need to pass the application secret, simply good

1 answer 1

In the second paragraph, it should not return a code from you; it should return in the access_token parameter. Look at the example here and try to use the following query to authorize the user:

 https://oauth.vk.com/authorize?client_id={ИД приложения}&display=page&redirect_uri=https://oauth.vk.com/blank.html&scope=friends&response_type=token&v=5.37

UPD: if this is a site, then you need to use a slightly different type of authorization. Everything is divided into two stages. The first stage is the same, only in the redirect_uri parameter instead of https://oauth.vk.com/blank.html you need to substitute the address of your site where the redirect will be sent. In the mane about redirect_uri it says literally the following:

The domain of the specified address must match the main domain in the application settings and the listed values ​​in the list of trusted redirect uri addresses are compared up to the path-part

At the end of this stage, you (your website) will receive the code parameter

And at the second stage you need to get access_token using the code obtained at the first stage. The manual indicates that there are time limits for the implementation of this stage:

The code parameter can be used for 1 hour to get the access key to the access_token API from your server.

 https://oauth.vk.com/access_token?client_id={ИД приложения}&client_secret={Секретный ключ}&redirect_uri={тот же адрес, что и на первом этапе}&code={полученный на первом этапе code}

Here I will also note that the used redirect_uri should match the one used in the first stage:

The URL that was used when receiving the code at the first stage of authorization. Must be similar to the one transmitted during authorization.

And here these two steps are only user authorization, i.e. only the second point of your question. The lifetime of the received access_token may be finite, after a while it will have to be updated (apparently, only the second stage).

  • Hello, replacing the link in the 2nd paragraph with yours, I receive a redirect, and the following expressions are already in the address bar: set of numbers}. Copying the access token to the 3rd link (instead of the token parameter) I get the following answer {"error": {"error_code": 15, "error_msg": "Access denied: Application should be native", "request_params" and then the parameters passed by me}. Those. should the application be native? I repeat that I am doing this authorization and verification through the browser - simply good
  • When you try to substitute in the token field. User ID (9 digits) then returns an error, invalid token - simply good
  • PS forgot to indicate that the application that I use (secret and ID) was registered in VKontakte applications as SITE, does it matter? - simply good
  • @simplygood, updated the answer as The comments are missing part of the formatting capabilities. - hunter
  • Thanks, I hope it helps, I understand that VKontakte is so severe, that I just will not check it with the browser, I need to turn on the server (project on ASP, localhost), otherwise this problem will arise with nativeness (I thought that this is precisely because of this) - simply good