Someone is tampering with the oauth2 request?

[Braunson]

Using the example provided in the readme, I'm getting this error? I can confirm the states do differ when dumped. I am executing this code, getting redirected to the ZOHO permission screen, accepting and being redirected back to the same endpoint but with the state and code..

My code..

$client = new \Weble\ZohoClient\OAuthClient(
    $_ENV['ZOHO_CLIENT_ID'],
    $_ENV['ZOHO_CLIENT_SECRET'],
    \Weble\ZohoClient\Enums\Region::US,
    $_ENV['ZOHO_REDIRECT_URI']
);

// This needs to be set if you want to be able to refresh the token
$client->offlineMode();

// Set the zoho scopes you need, see https://www.zoho.com/crm/developer/docs/api/v2/scopes.html
$client->setScopes([
    'ZohoCRM.modules.contacts.READ',
    'ZohoCRM.modules.deals.READ'
]);

// Get the authorization URL
$url = $client->getAuthorizationUrl();

// Get the state for security, and save it (usually in session)
$state = $client->getState();

// Do your redirection as needed
if (! isset($_GET['state'])) {
    redirect($url);
}

// Try to get an access token (using the authorization code grant)
try {
    // In the redirection page, check for the state you got before and that you should've stored
    if ($state !== $_GET['state']) {
        throw new \Exception('Someone is tampering with the oauth2 request');
    }

    // Set the grant code
    $client->setGrantCode($_GET['code']);

    // get the access token (and store it probably)
    $token = $client->getAccessToken();

    // if you set the offline mode, you can also get the refresh token here (and store it)
    $refreshToken = $client->getRefreshToken();

    echo 'Successfully retrieved the access and refresh tokens.';
    return;

} catch (\Exception $e) {

    // handle your exceptions
    dd($e->getMessage());

}

[tm1000]

Is there a reason you are setting offline mode as your flow is not offline.

[Braunson]

@tm1000 Yes this is for a server-side app that will retrieve i.e. a Deal record. Sorry new to using Zoho entirely.

I'm building a simple app to retrieve Deal information from the ZohoCRM based on an ID provided to it. I'm just generating this for the initial setup of the app to generate the refresh token.

The use-case is the user is sent an email with a URL where they can check the status of a deal in the system.

[Braunson]

@tm1000 Yes I noticed that but it assumes you have the refresh token ahead of time, which I will not? Unless I'm not understanding it correctly

[tm1000]

The documentation to get the refresh token is probably out of date.

(I deleted my previous message after I reviewed the readme)

There are other ways to get the refresh token outside of this module that can then be used in this module (away from computer atm or would share a bash script)

[Braunson]

@tm1000 Ok, I would appreciate if you could share the bash script or the alternative ways when you get a chance 😃 I'm implementing the ZohoCrmApi package now but also still stuck with the issue of the State error when trying to generate the refresh token.

[Skullbock]

Hi @Braunson You can use that code if you want to generate the code, but being offline you need to adjust it a little bit. Specifically, you can skip the state check part:

// Not necessary for you
    if ($state !== $_GET['state']) {
        throw new \Exception('Someone is tampering with the oauth2 request');
    }

And also set the code manually by copy-pasting it from the redirect url

$client->setGrantCode('YOUR_PASTED_IN_CODE");

Alternatively, you can still use the zoho way documented here: https://www.zoho.com/crm/developer/docs/api/v2/access-refresh.html