Search code examples
phpoauth-2.0etsy

Etsy: After requesting an authorisation code, I cannot log in to grant access, to gain an access token

I have tried to tell the entire story in one screenshot, so feel free to look at it first before reading on. You may notice the problem before I even tell you what it is.

(This is live production code, but all sensitive information is redacted in bright purple. I'm my own client, so it's my information to share, but please let me know if I've accidentally shared something I shouldn't.)

I am trying to gain an access token for the Etsy API. Documentation for how to do so can be found here: https://developer.etsy.com/documentation/essentials/authentication/

Note: this is all for the API v3, not v2. There is a lot of documentation for previous versions, but none of it applies here.

I have gained an access token once before, but it was so long ago. I don't know if I'm logging in differently from last time or if the API has changed since last time. My last successful login was using Postman, but that was a long time ago. Making what I am fairly confident should be the exact same call as last time using Postman is also getting exactly the same error described below. (Though I'm not ruling out the possibility that maybe I forgot to save the working call, and maybe the call I found and tried recently has never worked.)

The code on the left runs (off the live website) as shown on the right. This screenshot was taken after clicking the "sign in" button. This particular time both email address and password were blank, but it gets the same error no matter what is typed into both boxes.

"An error has occurred, please try again!" only appears after clicking.

I know that I need to be able to log in to grant myself the access token, as I have done it once before, but this time, I cannot log in. What am I doing wrong?

enter image description here

That code again is:

<?php

$curl = curl_init();

curl_setopt_array($curl, array(
    CURLOPT_URL => 'https://www.etsy.com/oauth/connect?response_type=code&client_id=/*redacted*/&scope=address_r%2520address_w%2520billing_r%2520cart_r%2520cart_w%2520email_r%2520favorites_r%2520favorites_w%2520feedback_r%2520listings_d%2520listings_r%2520listings_w%2520profile_r%2520profile_w%2520recommend_r%2520recommend_w%2520shops_r%2520shops_w%2520transactions_r%2520transactions_w' . '&code_challenge=DSWlW2Abh-cf8CeLL8-g3hQ2WQyYdKyiu83u_s7nRhI&code_challenge_method=S256',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING => '',
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 0,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => 'GET',
    CURLOPT_HTTPHEADER => array(
            'Cookie: /*redacted*/'
    ),
));

$response = curl_exec($curl);

curl_close($curl);
echo $response;
Solution

  • I solved it myself, and although it feels like a stupid question in retrospect (don't they all?) here's the answer it deserves:

    It all comes from a fundamental misunderstanding of the documentation. It says:

    To begin the flow, direct the user to https://www.etsy.com/oauth/connect with a GET request including the following URL parameters:

    My misreading of that sentence was:

    To begin the flow, perform a GET request to https://www.etsy.com/oauth/connect including the following URL parameters, then direct the user to the URL in the response body.

    If you can already see how both sentences are completely different instructions then you already know exactly what I did wrong.

    The critical thing to understand, is that visiting a website is a GET request. By extension, visiting a website with URL parameters (for example https://www.example.com?parameter1=value1&parameter2=value2) is a GET request with parameters.

    Therefore, directing a user to a website with a GET request with parameters simply means writing the parameters into the URL path. It doesn't mean performing a request server side and trying to find a URL path in the response.