Discord OAuth2 Flow

discord_oauth2.md

Discord OAuth2

Step 1

You: Redirect User to https://discordapp.com/api/oauth2/authorize

Query Params

name	value
client_id	Your application's Client ID
scope	A list of scopes, delimited by spaces
redirect_uri	The uri to send the user after authorization

Step 2

Discord: Redirect User to redirect_uri

Query Params

name	value
code	Temporary code for requesting access token

Step 3

You: POST https://discordapp.com/api/oauth2/token

"Form Data" means the body must be sent as application/x-www-form-urlencoded

Form Data

name	value
client_id	Your application's client id
client_secret	Your application's client secret
code	Temporary code for requesting access token
grant_type	"authorization_code"
redirect_uri	The uri to send the user after authorization

Response JSON Data

name	value
access_token	Token used to make api requests as user
refresh_token	Token used to get a new access token
expires_in	Expiry time relative to now in seconds
scope	List of scopes the access token has

Refreshing an access token

You: POST https://discordapp.com/api/oauth2/token

Form Data

name	value
client_id	Your application's client id
client_secret	Your application's client secret
refresh_token	Refresh token for desired user
grant_type	"refresh_token"

Hi,

Do you know if the refresh_token can be expire or if it can be alive definitively ?
If it can be expire, how long ago after his creation ?

Thanks in advance.

@valentin-b99 the refresh token only expires when the user unauthorizes the application through their settings

@valentin-b99 the refresh token only expires when the user unauthorizes the application through their settings

The refresh token expires once the "expires_in" parameter has passed. This is usually 7 days.

The refresh token expires once the "expires_in" parameter has passed. This is usually 7 days.

@KenCOCOCO This is untrue. The access token is what expires when the expires_in parameter has passed; the refresh token is used to refresh the access token — agnostic of if the access token has expired.

Step 3, calling from axios, tried passing data as depicted below and JSON.stringified() always get a 400 error. Perhaps there are headers required?

{
"method": "POST",
"url": "https://discordapp.com/api/oauth2/token",
"data": {
"client_id": "#############6944",
"client_secret": "**********************************",
"code": "hOA6snQVHePUKB9eyjq2Bxf6CDusfz",
"grant_type": "authorization_code",
"redirect_uri": "https://stardust.auth.us-east-1.amazoncognito.com/oauth2/idpresponse"
}
}

2021-03-01T23:36:58.188Z ERROR Token for (hOA6snQVHePUKB9eyjq2Bxf6CDusfz, j349qxcnz5.execute-api.us-east-1.amazonaws.com/Prod, Request failed with status code 400) failed: %s

================================================================================================

const params = {
method: 'POST',
url: ${urls.oauthToken},
data: {
client_id: DISCORD_CLIENT_ID,
client_secret: DISCORD_CLIENT_SECRET,
code: code,
grant_type: 'authorization_code',
redirect_uri: COGNITO_REDIRECT_URI,
},
};
const response = axios(params).then(check)

The solution was to use qs to stringify and add the header:

    headers: {
      'content-type': 'application/x-www-form-urlencoded;charset=utf-8',
    },

For future reference, "Form Data" means the body must be sent as application/x-www-form-urlencoded