Hey. I created my application as it should. And everything works for me But only for my token. The bottom line is this: through CURL, I send a request for the messages.get method and it works fine. But it is worth using another token in the application as the output is the following picture:

{"error":{"error_code":17,"error_msg":"Validation required: please open redirect_uri in browser 1056693590","request_params":[{"key":"oauth","value":"1"},{"key":"method","value":"messages.get"},{"key":"user_id","value":"156961900"},{"key":"v","value":"5.37"},{"key":"out","value":"0"},{"key":"count","value":"10"}],"redirect_uri":"https:\/\/m.vk.com\/login?act=security_check&api_hash=Π₯Π­Π¨"}}

So, I'm in a stupor. For everything works on localhost even with a dourage token (at least yesterday ha-ha worked), but on the host for users except me - no.

Just in case:

  1. All users have added to my application.
  2. Through the address bar, using any registered token, I can get the result.
  3. In the application settings, the working base domain, auth url, site address are indicated
  • The token must be received on the same device on which you will use it, that is, on the host. Well, or open this most redirect_uri directly from the host - andreymal
  • It turns out recursion in this case. I receive redirect_uri, I pass, I receive again the same error. After that, everything repeats. - Sergey Karsten
  • For applications running from a server (not through requests from a client computer), another way to generate a token is provided. The resulting token will not depend on ip, but there are some limitations. I can not throw off the link to the documentation right now, only a little later - insolor
  • Something like OAuth as I understood. Verono? - Sergey Karsten
  • Go to something exactly on the host, and not from your home browser? - andreymal

1 answer 1

According to the documentation , there are 3 ways to obtain an access key (access token):

  1. Implicit flow is the easiest (one-step) method, but the key will only work with requests sent from the device from which authorization was made. Suitable for desktop, mobile or javascipt applications.
  2. Authorization code flow - two-step method, more complicated, but the received access token will not be tied to the client's ip, requests can be sent from the server. There are some restrictions on the permissions allowed, for example, you cannot access messages.
  3. Client credentials flow - authorization by application secret key. It is necessary only for access to special secure-methods.

In your case, you need to use 2 method:

  • First, a request is sent from the client device

     https://oauth.vk.com/authorize?client_id=1& // id прилоТСния display=page& // Ρ‚ΠΈΠΏ страницы Π°Π²Ρ‚ΠΎΡ€ΠΈΠ·Π°Ρ†ΠΈΠΈ redirect_uri=http://example.com/callback& // ΠΊΡƒΠ΄Π° производится ΠΏΠ΅Ρ€Π΅Ρ…ΠΎΠ΄ послС Π°Π²Ρ‚ΠΎΡ€ΠΈΠ·Π°Ρ†ΠΈΠΈ scope=friends& // ΠΊ Ρ‡Π΅ΠΌΡƒ Ρ…ΠΎΡ‚ΠΈΠΌ ΠΏΠΎΠ»ΡƒΡ‡ΠΈΡ‚ΡŒ доступ response_type=code& // Ρ‚ΠΈΠΏ ΠΎΡ‚Π²Π΅Ρ‚Π°, ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ Π½Π°ΠΌ Π½ΡƒΠΆΠ΅Π½ v=5.63

    After the redirect we get the code that we use in the second request:

     http://REDIRECT_URI#code=XXXXXXXX

  • From the server we send a request of the form:

     https://oauth.vk.com/access_token?client_id=1& // id прилоТСния client_secret=H2Pk8htyFD8024mZaPHm& // Π—Π°Ρ‰ΠΈΡ‰Π΅Π½Π½Ρ‹ΠΉ ΠΊΠ»ΡŽΡ‡ прилоТСния - смотрим Π² настройках прилоТСния, Ρ‚Π°ΠΌ ΠΆΠ΅ Π³Π΄Π΅ ΠΈ id redirect_uri=http://mysite.ru& // ΠšΡƒΠ΄Π° ΠΏΠ΅Ρ€Π΅Ρ…ΠΎΠ΄ΠΈΠΌ послС запроса code=XXXXXXXX // Код, ΠΏΠΎΠ»ΡƒΡ‡Π΅Π½Π½Ρ‹ΠΉ Π½Π° ΠΏΡ€Π΅Π΄Ρ‹Π΄ΡƒΡ‰Π΅ΠΌ шагС

    As a result, we already get access token, which we already use in requests from the server side:

     {"access_token":"YYYYYYYYYYY", "expires_in":43200, "user_id":ZZZZZ}
  • The second will not work. I need messages. - Sergey Karsten
  • @SergeyKarsten, then somehow you need to send requests from the client device. In another way, judging by the documentation, it will not work. - insolor
  • So I also break my head .. - Sergey Karsten