(PHP ActiveX) Get Ebay OAuth2 in a Desktop App

See more eBay Examples

Demonstrates how to get a Ebay OAuth2 access token from a desktop application or script.

There are two ways of "minting" an OAuth2 access token.

1. The authorization code grant flow (this example) (https://developer.ebay.com/api-docs/static/oauth-authorization-code-grant.html) This is where your app will be accessing another person's eBay account. It's an interactive process and requires the account owner's permission to get the access token the 1st time. After that, it can be refreshed indefinitely without user interaction.
2. The client credentials grant flow (https://developer.ebay.com/api-docs/static/oauth-client-credentials-grant.html) This is where you access your own eBay account. It's non-interactive and you can do it in automated services where user-interaction is not possible.

For more information, see https://developer.ebay.com/api-docs/static/oauth-authorization-code-grant.html

Chilkat ActiveX Downloads ActiveX for 32-bit and 64-bit Windows Note: The php_com_dotnet.dll may need to be enabled inside of php.ini.

<?php

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.OAuth2')
$oauth2 = new COM("Chilkat.OAuth2");

// See the Ebay documentation about Access token types
// Also see the Ebay documentation about authorization code grant flow

// Ebay OAuth2 only allows for SSL/TLS with localhost redirect URLs (i.e. https://localhost:<portNumber>/)
// 
// We want the access token to come back to your desktop app, but without TLS (the redirect from your local browser to 
// your application does not traverse a network (both are on localhost), and therefore no TLS is necessary).
// To get around the https problem, you'll need to script
// on your web server to respond with it's own redirect.  Think of it this way:  If Ebay won't redirect to http://localhost:<portNumber>,
// then just setup a web server script that will send a redirect response to http://localhost:<portNumber>

// This script can be written in C#, PHP, or whatever desired.  It must include the query string in the redirection.
// For example, in PHP your script would look like this:

// <?php
//   header( 'Location: http://localhost:3017?' . $_SERVER['QUERY_STRING'] );
// ?>

// Ebay is odd in that it wants the redirect URL indirectly.
// You need to provide the RuName (eBay Redirect URL name)
$oauth2->AppCallbackUrl = 'Chilkat_Softwar-ChilkatS-chilka-qydjs';
$oauth2->ListenPort = 3017;

$oauth2->AuthorizationEndpoint = 'https://auth.sandbox.ebay.com/oauth2/authorize';
$oauth2->TokenEndpoint = 'https://api.sandbox.ebay.com/identity/v1/oauth2/token';

// Replace these with actual values.
$oauth2->ClientId = 'EBAY_CLIENT_ID';
$oauth2->ClientSecret = 'EBAY_CLIENT_SECRET';
$oauth2->UseBasicAuth = 1;
$oauth2->CodeChallenge = 0;

// The scope query param indicates the access to be provided by the token.
// Multiple scopes can be specified by separating each with a SPACE char.
// See the Ebay OAuth scopes documentation

$oauth2->Scope = 'https://api.ebay.com/oauth/api_scope https://api.ebay.com/oauth/api_scope/buy.order.readonly https://api.ebay.com/oauth/api_scope/buy.guest.order https://api.ebay.com/oauth/api_scope/sell.marketing.readonly https://api.ebay.com/oauth/api_scope/sell.marketing https://api.ebay.com/oauth/api_scope/sell.inventory.readonly https://api.ebay.com/oauth/api_scope/sell.inventory https://api.ebay.com/oauth/api_scope/sell.account.readonly https://api.ebay.com/oauth/api_scope/sell.account https://api.ebay.com/oauth/api_scope/sell.fulfillment.readonly https://api.ebay.com/oauth/api_scope/sell.fulfillment https://api.ebay.com/oauth/api_scope/sell.analytics.readonly https://api.ebay.com/oauth/api_scope/sell.marketplace.insights.readonly https://api.ebay.com/oauth/api_scope/commerce.catalog.readonly https://api.ebay.com/oauth/api_scope/buy.shopping.cart https://api.ebay.com/oauth/api_scope/buy.offer.auction';

// Begin the OAuth2 three-legged flow.  This returns a URL that should be loaded in a browser.
$url = $oauth2->startAuth();
if ($oauth2->LastMethodSuccess != 1) {
    print $oauth2->LastErrorText . "\n";
    exit;
}

print 'url = ' . $url . "\n";

// At this point, your application should load the URL in a browser.
// For example, 
// in C#: System.Diagnostics.Process.Start(url);
// in Java: Desktop.getDesktop().browse(new URI(url));
// in VBScript: Set wsh=WScript.CreateObject("WScript.Shell")
//              wsh.Run url
// in Xojo: ShowURL(url)  (see http://docs.xojo.com/index.php/ShowURL)
// in Dataflex: Runprogram Background "c:\Program Files\Internet Explorer\iexplore.exe" sUrl        
// The Ebay account owner would interactively accept or deny the authorization request.

// Add the code to load the url in a web browser here...
// Add the code to load the url in a web browser here...
// Add the code to load the url in a web browser here...

// Now wait for the authorization.
// We'll wait for a max of 60 seconds.
$numMsWaited = 0;
while (($numMsWaited < 60000) and ($oauth2->AuthFlowState < 3)) {
    $oauth2->SleepMs(100);
    $numMsWaited = $numMsWaited + 100;
}

// If there was no response from the browser within 60 seconds, then 
// the AuthFlowState will be equal to 1 or 2.
// 1: Waiting for Redirect. The OAuth2 background thread is waiting to receive the redirect HTTP request from the browser.
// 2: Waiting for Final Response. The OAuth2 background thread is waiting for the final access token response.
// In that case, cancel the background task started in the call to StartAuth.
if ($oauth2->AuthFlowState < 3) {
    $oauth2->Cancel();
    print 'No response from the browser!' . "\n";
    exit;
}

// Check the AuthFlowState to see if authorization was granted, denied, or if some error occurred
// The possible AuthFlowState values are:
// 3: Completed with Success. The OAuth2 flow has completed, the background thread exited, and the successful JSON response is available in AccessTokenResponse property.
// 4: Completed with Access Denied. The OAuth2 flow has completed, the background thread exited, and the error JSON is available in AccessTokenResponse property.
// 5: Failed Prior to Completion. The OAuth2 flow failed to complete, the background thread exited, and the error information is available in the FailureInfo property.
if ($oauth2->AuthFlowState == 5) {
    print 'OAuth2 failed to complete.' . "\n";
    print $oauth2->FailureInfo . "\n";
    exit;
}

if ($oauth2->AuthFlowState == 4) {
    print 'OAuth2 authorization was denied.' . "\n";
    print $oauth2->AccessTokenResponse . "\n";
    exit;
}

if ($oauth2->AuthFlowState != 3) {
    print 'Unexpected AuthFlowState:' . $oauth2->AuthFlowState . "\n";
    exit;
}

// Save the full JSON access token response to a file.
// For versions of Chilkat < 10.0.0, use new COM('Chilkat_9_5_0.Chilkat.StringBuilder')
$sbJson = new COM("Chilkat.StringBuilder");
$sbJson->Append($oauth2->AccessTokenResponse);
$sbJson->WriteFile('qa_data/tokens/ebay-access-token.json','utf-8',0);

// The full JSON received looks like this:
// {
//   "access_token": "v^1.1#i^1#p^3#f^0#I^3#r^0#t^H4sIAAA... 3+fBIAAA==",
//   "expires_in": 7200,
//   "refresh_token": "v^1.1#i^1#f^0#p^3#r^1#I^3#t^Ul4xMF8wOkIxQzAzQjg1ND ... fMSNFXjEyODQ=",
//   "refresh_token_expires_in": 47304000,
//   "token_type": "User Access Token"
// }

print 'OAuth2 authorization granted!' . "\n";
print 'Access Token = ' . $oauth2->AccessToken . "\n";

?>