OAuth support? about pokemongoapi-php HOT 50 CLOSED

Check out the new authentication system, it supports Oauth and will be released later today.

https://github.com/NicklasWallgren/PokemonGoAPI-PHP/tree/authentication-managers

from pokemongoapi-php.

@guirreri @DragonStar01 This is an example of a working code:

  // EXAMPLE Authentication via Google refresh token
  $config = new Config();
  $config->setProvider(Factory::PROVIDER_GOOGLE);


  if (isset($_SESSION['access_token'])) {
    // Retrieve the persisted access token
    $accessToken = $_SESSION['access_token'];
    $config->setRefreshToken($accessToken);
  }else{
    $config->setAuthToken("ACCESS_TOKE_GOES_HERE");
  }


  // Create the authentication manager
  $manager = Factory::create($config);

  // Add a event listener,
  $manager->addListener(function ($event, $value) {
    if ($event === Manager::EVENT_ACCESS_TOKEN) {
      /** @var AccessToken $accessToken */
      $accessToken = $value;
      // Persist the access token in session storage, cache or whatever.
      // The persisted access token should be passed to the Authentication factory for authentication
      $_SESSION['access_token'] = $accessToken->getRefreshToken();
    }
  });

  // Initialize the pokemon go application
  $application = new ApplicationKernel($manager);

  // Retrieve the pokemon go api instance
  $pokemonGoApi = $application->getPokemonGoApi();

  // Retrieve the inventory
  $inventory = $pokemonGoApi->getInventory();

  // Retrieve the player stats
  $playerStats = $inventory->getStats();

from pokemongoapi-php.

Thanks @DrDelay Works perfectly 👍

from pokemongoapi-php.

That mechanism would then require user-interaction, making it a bit uncomfortable to use. However, it is obviously nicer than having to enter your Google account credentials that you also use for email etc..

I have it implemented in my project (along the "non-OAuth-login" like here, the user can choose what he prefers), if someone can use it as a blueprint to migrate that here: https://github.com/DrDelay/pokemon-go/blob/master/src/Auth/GoogleOAuth.php

However, this requires a persistent storage for the device code, and one for the refresh_token also makes a lot of sense, if you don't want to verify the device on every call.

from pokemongoapi-php.

It could be great to have the OAuth support like in PokeAdvisor website that not asking gmail and password, but only the Authentication Key.

I made a website like PokeAdvisor, but most of players don't trust it and don't sign in with their google mail and password, so I'm a little stuck at this moment.

With a Auth Key, people will start to trust my website and using it.

from pokemongoapi-php.

The way I implemented it an Exception is thrown (that you have to catch obviously), containing an URL the user has to visit (a (sub-)domain of Google, you can redirect/link that) and a device-code to enter there (see README). Then on the next execution it (the script) would receive the refresh_token.

You are talking about an "Auth Key", can you elaborate on that a bit? Is that something one can obtain in his Google account beforehand? If so, this would of course be even better than redirecting the user to google.com/device.

from pokemongoapi-php.

Take a look to https://www.pokeadvisor.com/ and try to Login.

It ask you, or PTC username/password, or, instead of google mail and password, it sends to google requiring a 3 hours temporary Auth Code.

In this way, people don't have to give personal information like google email and password to us

from pokemongoapi-php.

The thing is: if this is supposed to be a library, and not a full-blown application, which I think this should be, then anything that directly requires user interaction is not really feasible: what if I'm only using this on the CLI while my frontend is handled by Javascript?

We would need a way to "pre-authenticate" a user and just give that authentication to ApplicationKernel to use, completely abstracting away this thing.

from pokemongoapi-php.

This is technically already done for you.
You just have to tweak the source code a bit so you pass the login phase and directly set the token.

from pokemongoapi-php.

The token you receive from the page pokeadvisor.com sends you to is not a token you can directly use as AuthenticationInformation in a request to the PoGo-API. It is an authorization code you have to exchange at https://www.googleapis.com/oauth2/v4/token, getting the needed id_token aswell as a permanent refresh_token to obtain further tokens (as the authorization code is one time).

from pokemongoapi-php.

@DrDelay You think you can write a code sample that does that ? I think PokemonGoAPI-PHP doesn't have this implemented as he's using https://android.clients.google.com/auth instead of https://www.googleapis.com/oauth2/v4/token.

I'm really noob at google auth api, so a guide would be perfect.

Thanks

from pokemongoapi-php.

See #54

from pokemongoapi-php.

@DrDelay Awesome commit!
But I see it's not done yet. The refresh_token implementation is still missing.
If you try to login more than once with the token obtained from https://accounts.google.com/o/oauth2/auth?client_id=848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid%20email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&approval_prompt=force you get an Uncaught exception with message 'Code was already redeemed.'

from pokemongoapi-php.

Yeah, I mentioned it in some issue, the authorization code is one time use, but you get a refresh token that can be used on further requests. I implemented obtaining another id_token by request token (that works, tested with a hardcoded refresh_token), and also the basic "switching" between modes, but this of course lacks a cache implementation. But I feel like this (letting the user set a (PSR-6-)Cache) should be another (and more general) feature/PR.

from pokemongoapi-php.

@DrDelay Well, I'm currently saving them in a session:

 if ( ! session_id() ) @ session_start();
        if (isset($_SESSION['refresh_token'])) {
            $oauthToken = $this->getOauthToken($_SESSION['refresh_token']);
        } else {
            $oauthToken = $this->exchangeAuthCode($authorization_code);
            $refreshToken = $oauthToken->getRefreshToken();
            $_SESSION['refresh_token'] = $refreshToken;
            Log::debug(sprintf('[#%s] Refresh_token: \'%s\'', __CLASS__, $refreshToken));
        }

Thanks again for your work mate.

from pokemongoapi-php.

why, in my Factory.php there is not the const declaration for AUTHENTICATION_TYPE_GOOGLE_OAUTH = 3 ?

I just downloaded the latest commits, but Factory.php it's updated 11 days ago

from pokemongoapi-php.

It's not in this repos master branch (yet), you have to checkout 39808ea of my fork if you want to test it.

from pokemongoapi-php.

@lambasoft :

This is of course a very practible solution if you provide a website and therefore have access to sessions. Even multi-user support comes automatically with this.

However, fiddling around in the src like this will give you trouble merging in updates. I rarely get to work with sessions, but I'd assume there is also a PSR-6 compliant SessionStorage (if caching gets implemented).

from pokemongoapi-php.

ok, thanks to @DrDelay and @lambasoft , I tried your method and it works!

from pokemongoapi-php.

Just found a little problem.

If a user (a stupid user, but still a user) get an Auth Key from Google with a Google account that is not a Pokemon Go account, the API will show this player in any case.
A level 1 player.

Can you suggest me how to check if it's a real player or a noob user that tried to login with a wrong google account?

from pokemongoapi-php.

In my company we have something called DAU-compatibility ("Dümmster anzunehmender User"). :D

This is not a problem with my implementation. Without having it tested I'd say the same thing happens if you use Google password auth. I guess if he has no Pokemon account one gets simply created with the request, otherwise there would be an error, not Level 1. I don't see how you could catch that. What happens on Pokeadvisor? :P

Edit: You could check tutorial_state, but then the account is already created aswell ^^

from pokemongoapi-php.

eheh same in my website, it show data about a level 1 player just created, with no pokecoins, 0/1000 exp, etc etc

from pokemongoapi-php.

@paoloalby - can you show your code? Would really like to get this up and running.

from pokemongoapi-php.

@NicklasWallgren

    // EXAMPLE Authentication via Google refresh token
    $config = new Config();
    $config->setProvider(Factory::PROVIDER_GOOGLE);
    $config->setRefreshToken('INSERT_AUTHENTICATION_REFRESH_TOKEN');
    // Add a event listener,
    $manager->addListener(function ($event, $value) {
        if ($event === Manager::EVENT_ACCESS_TOKEN) {
            /** @var AccessToken $accessToken */
            $accessToken = $value;
            // Persist the access token in session storage, cache or whatever.
            // The persisted access token should be passed to the Authentication factory for authentication
        }
    });

What do you mean by // The persisted access token should be passed to the Authentication factory for authentication ?

Lets say I save the token in a session:
$_SESSION['refresh_token'] = $accessToken;

Great work btw!

from pokemongoapi-php.

The next time you need to authenticate, lets say during the next page load, you pass the persisted access token to the Factory.

// Retrieve the persisted access token
$accessToken = Session::get('access_token');

// Create the authentication manager
$manager = Factory::create($config);

// Initialize the pokemon go application
$application = new ApplicationKernel($manager);

from pokemongoapi-php.

@NicklasWallgren It's working great. I'll commit an example on how to handle refresh token.

Just one more thing, I wish you could add a public function to check either a token is valid or not. Check if the input AccessToken is valid.

Regards

from pokemongoapi-php.

You can use the AccessToken->isTimestampValid()-method to check whether the token is still in its lifetime (after this is fixed).

You can't really find out whether a token is valid or not until you tried it, so I'd just try it and catch (\NicklasW\PkmGoApi\Handlers\RequestHandler\Exceptions\AuthenticationException $authEx) (thrown here).

from pokemongoapi-php.

So I checked out the authentication-managers branch and followed the Google Sign-In Guide (https://developers.google.com/identity/sign-in/web/), but still can't get this to work.The code from the sign in guide returns a token after logging in (googleUser.getAuthResponse().id_token), which I've hardcoded into the example.

Stack Trace:

Fatal error: Uncaught NicklasW\PkmGoApi\Authentication\Exceptions\ResponseException: Retrieved a invalid response. Response: '{ "error": "invalid_grant", "error_description": "Bad Request" } ' in /Applications/MAMP/htdocs/PokemonGoAPI-PHP/src/Authentication/Managers/Google/AuthenticationCode/Parsers/Parser.php:67
Stack trace:

#0 /Applications/MAMP/htdocs/PokemonGoAPI-PHP/src/Authentication/Managers/Google/AuthenticationCode/Parsers/OauthTokenParser.php(29): NicklasW\PkmGoApi\Authentication\Managers\Google\AuthenticationCode\Parsers\Parser->validateResponse(Object(GuzzleHttp\Psr7\Response))

#1 /Applications/MAMP/htdocs/PokemonGoAPI-PHP/src/Authentication/Managers/Google/AuthenticationCode/Clients/AuthenticationClient.php(72): NicklasW\PkmGoApi\Authentication\Managers\Google\AuthenticationCode\Parsers\OauthTokenParser->parse(Object(GuzzleHttp\Psr7\Response))

#2 /Applications/MAMP/htdocs/PokemonGoAPI-PHP/src/Authentication/Managers/Google/AuthenticationCode/Authenticator.php(48): NicklasW\PkmGoApi\Authentication\Managers\G in /Applications/MAMP/htdocs/PokemonGoAPI-PHP/src/Authentication/Managers/Google/AuthenticationCode/Parsers/Parser.php on line 67"

I have the following code in the RetrievePlayerPokdexExample.php:

$config = new Config();
$config->setProvider(Factory::PROVIDER_GOOGLE);
$config->setAuthToken('STRING RETURNED FROM googleUser.getAuthResponse().id_token');

// Create the authentication manager
$manager = Factory::create($config);

// Add a event listener,
$manager->addListener(function ($event, $value) {
    if ($event === Manager::EVENT_ACCESS_TOKEN) {
        $accessToken = $value;
    }
});

// Initialize the pokemon go application
$application = new ApplicationKernel($manager);

// Retrieve the pokemon go api instance
$pokemonGoApi = $application->getPokemonGoApi();

// Retrieve the inventory
$inventory = $pokemonGoApi->getInventory();

// Retrieve the pokedex
$pokedex = $inventory->getPokedex(); // error is happening here...

from pokemongoapi-php.

someone can help me with this ? i get this error
Uncaught NicklasW\PkmGoApi\Authentication\Exceptions\ResponseException: Retrieved a invalid response. Response: '{ "error": "invalid_grant", "error_description": "Bad Request" } '

code

 // EXAMPLE Authentication via Google refresh token
        $config = new Config();
        $config->setProvider(Factory::PROVIDER_GOOGLE);
        $config->setRefreshToken('4/-I492MrcVWwjgiW3TdIIxxxxxxxxxxx');

        // Create the authentication manager
        $manager = Factory::create($config);

        // Initialize the pokemon go application
        $application = new ApplicationKernel($manager);

        // Retrieve the pokemon go api instance
        $pokemonGoApi = $application->getPokemonGoApi();

        // Retrieve the profile
        $profile = $pokemonGoApi->getProfile();

from pokemongoapi-php.

@lambasoft Take a look at the isValid method. But as @DrDelay stated, you can't be certain until you tried it.

from pokemongoapi-php.

@DragonStar01 How did you get hold of the refresh token? I'll tighten up the error messages in a upcoming release.

from pokemongoapi-php.

@guirreri Sounds like you retrieved a Oauth token and not a Authentication code.

from pokemongoapi-php.

@DrDelay @NicklasWallgren Thanks guys, I'll stick with the try case.

Regards.

from pokemongoapi-php.

99.9% of the time you can rely on the timestamps and therefore the AccessToken->isValid()/AccessToken->isTimestampValid() methods.

I was just pointing out that you can't be 100% certain unless you tried it.

It is better to check the timestamps, so you don't create unnecessary authentication failures on the Google API (might get you blocked over time).

It may be best to do both, first check timestamps, and also use a try catch.

from pokemongoapi-php.

@NicklasWallgren I use this url to get RefreshToken Here
Thanks for your hard work 👍

from pokemongoapi-php.

@NicklasWallgren - you're right, I was using id_token. In the same object (googleUser.getAuthResponse()) there is an auth_token, but that doesn't work either.

Response is { "error": "invalid_grant", "error_description": "Incorrect token type." }

Is there a step I'm missing?

from pokemongoapi-php.

@guirreri have you checked my code ?

from pokemongoapi-php.

@lambasoft - tried it - on first request, I get { "error": "invalid_grant", "error_description": "Incorrect token type." }

On refreshing the page I get { "error": "invalid_grant", "error_description": "Code was already redeemed." }

To be clear, I have an HTML page that is based on Google Sign-In example. The returned object contains an id_token and an auth_token. So I sign in, copy-paste the auth_token into the php file and then direct the browser to the php file.

from pokemongoapi-php.

@guirreri are you using this link to get your token: https://accounts.google.com/AccountChooser?continue=https://accounts.google.com/o/oauth2/auth?scope%3Dopenid%2Bemail%2Bhttps://www.googleapis.com/auth/userinfo.email%26response_type%3Dcode%26redirect_uri%3Durn:ietf:wg:oauth:2.0:oob%26client_id%3D848232511240-73ri3t7plvk96pj4f85uj8otdat2alem.apps.googleusercontent.com%26from_login%3D1%26as%3D3b2aeb02ba3f6e9a&ltmpl=embedded&btmpl=authsub&scc=1&oauth=1 ?

from pokemongoapi-php.

To hopefully clarify this:

• In setAuthToken you pass an authorization code, that is a one-time-code you get from here
• In setOauthToken you could pass the id_token, however you can also pass an AccessToken-object with it to Factory::create instead of the Config
• The auth_token you mentioned is more or less useless

from pokemongoapi-php.

@DrDelay - ok, I'm definitely missing a step here because I haven't seen that type of URL in any of the docs I've been reading. Will give this another look later this evening.

Thanks!

from pokemongoapi-php.

To your edit, the id_token (it should be rather long) would be passed to setOauthToken (as mentioned).

However, you're making it overly complex. Using the auth-code (with setAuthToken) from the URL will also give you a refresh token you can persist, as the id token is only valid for an hour or something. This is a good concept (however the naming - refresh becomes access - is a bit confusing, you could just save the whole object - serialized - and use it instead of the Config).

from pokemongoapi-php.

@DrDelay Thanks for your information
but after using your example i get this error
Fatal error: Uncaught Exception: read_bytes(): Unexpected end of stream in /poke/vendor/nicklasw/pogoprotos-php/src/protocolbuffers.inc.php:364

from pokemongoapi-php.

See #56 .. but if you are on the authentication-managers-branch the revert (21f2d30) should be in the history.

from pokemongoapi-php.

Is "NicklasW\PkmGoApi\Authentication\Managers\Google\AuthenticationRefreshToken\Clients\AuthenticationClient" used in the examples? Do I need to replace the client ID and secret in that file in order for the example to work?

IMHO - I think we'd all appreciate a completed full-circle example in the repo, with documentation. This is a feature that none of the other APIs are providing.

from pokemongoapi-php.

@guirreri:
You should never have to change anything in /src except you are developing the library itself.
If you just copy-paste @lambasoft's example and replace ACCESS_TOKE_GOES_HERE with an auth-code from the link @lambasoft / I posted, what happens?

The new auth-system is not even in the master-branch yet, it's quite common for feature-branches to not offer a full documentation already. Enough examples were posted in this issue already 😸

from pokemongoapi-php.

@DrDelay - when I use the URL given at the bottom of this post, with my client ID placed in it, I get a redirect error.

I setup my Project here:
https://console.developers.google.com/apis/credentials

JS Origin is http://localhost:8888
Authorized redirect URIs is: http://localhost:8888/examples/Homepage.php

Is there something else I need to do in the google api admin?

URL:
https://accounts.google.com/o/oauth2/auth?client_id=[MY CLIENT ID]&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid%20email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&approval_prompt=force

Error from Google:
The redirect URI in the request, urn:ietf:wg:oauth:2.0:oob, can only be used by a Client ID for native application. It is not allowed for the WEB client type. You can create a Client ID for native application at https://console.developers.google.com/apis/credentials/oauthclient

Request Details
approval_prompt=force
scope=openid email https://www.googleapis.com/auth/userinfo.email
response_type=code
redirect_uri=urn:ietf:wg:oauth:2.0:oob
client_id=[MY CLIENT ID]

from pokemongoapi-php.

Don't change stuff .......
The client ID is from Pokemon, just visit the link as it is.

from pokemongoapi-php.

OK, feeling stupid now, sorry!.

Saw your previous post about the Unexpected end of input - once reverted, works now. Thanks for your patience!!

from pokemongoapi-php.

The new authentication system is now merged into master :) Thanks @DrDelay for contributing!

from pokemongoapi-php.