OAuth 2.0

To improve the security of POESESSID. This one only works with OAuth 2.0 and have official support and official documents.

GGG strongly recommend tool to use OAuth 2.0, but you need a distinct server hosted from your client to do the OAuth thing.

• You set that up by contacting the oauth@ email address with the details they desire.
• Your project need to have a secure server that runs the whole OAuth dispatching stuff for your clients as you can't have any of that running client-side, clients need to do the auth procedure to bounce via the GGG OAuth sign-in system to grant your application rights.
• You will receive a email how to setup the OAuth with client_id and client_secret

Summary of OAuth 2.0

1. Set a page to redirect to https://www.pathofexile.com/oauth/authorize?client_id={client_id}&response_type=code&scope={scope}&state={state}&redirect_uri={redirect_uri}
2. User grants authorization
3. Redirect user back to application
4. User confirmed the privilege and redirect_uri with code
5. Grant access token: Server exchange code for access_token
   Request:

   POST https://www.pathofexile.com/oauth/token
   grant_type=authorization_code&code={code}&client_id={client_id}&client_secret={client_secret}&redirect_uri={redirect_uri}
   

   Response:

   {
     "scope": "account:profile", 
     "expires_in": 2419200, 
     "token_type": "bearer", 
     "access_token": "secret_access_token", 
     "refresh_token": "secret_refresh_token"
   }
   

6. Access the scope endpoint, ex: /api/profile with User-Agent header and access_token
   Request:

   GET /api/profile
   Authorization: Bearer {secret_access_token}
   User-Agent: <product> / <product-version> <comment>
   

   Reponse: https://www.pathofexile.com/developer/docs/reference#profile

---

Wikis Content is available under CC BY-NC-SA 3.0 unless otherwise noted.