search

esi / esi-issues

Issue tracking and feature requests for ESI
https://esi.evetech.net/
209 stars 23 forks source link

Standings endpoing results to 403 forbidden with refresh_token, but works with access_token #1303

Closed arhontis closed 2 years ago

arhontis commented 2 years ago

Bug

I have been developing a web application that retrieves the standings of an authenticated character.

I have successfully authed a character and retrieved the refresh token.

I make the request to the standings of the character with authentication= and I retrieve the standings successfully.

But, when I make the request for standings, by using the refresh token (instead of the access token) I get the error "403 Forbidden" with the body: {"error":"unexpected end of JSON input","sso_status":401}

I have tried sending the base64_encode (php) of the refresh token but with no success either.

Request

This WORKS: curl --location --request GET 'https://esi.evetech.net/latest/characters/2115568205/standings/?datasource=tranquility' \ --header 'accept: application/json' \ --header 'authorization: Bearer [auth token] --header 'Cache-Control: no-cache'

This DONT work: curl --location --request GET 'https://esi.evetech.net/latest/characters/2115568205/standings/?datasource=tranquility' \ --header 'accept: application/json' \ --header 'authorization: Bearer [refresh token] --header 'Cache-Control: no-cache'

Response

{"error":"unexpected end of JSON input","sso_status":401}

Status Code

403

Headers

Date: Sat, 06 Nov 2021 20:40:14 GMT Content-Type: application/json; charset=utf-8 Access-Control-Allow-Methods: GET,HEAD,OPTIONS

Body

{
    "error": "unexpected end of JSON input",
    "sso_status": 401
}
Blacksmoke16 commented 2 years ago

This is expected. Refresh tokens are not used as a means of authentication themselves, but as a way to get a new access token without needing the user to go thru the SSO process again. See https://docs.esi.evetech.net/docs/sso/refreshing_access_tokens.html.

arhontis commented 2 years ago

Oh... I didn't realize that... So, when the auth token expires, I get a new one by using the refresh token and then I can execute the "query" to get what I need with the new access token?

Amazing... So simple... THANKS!

Blacksmoke16 commented 2 years ago

@arhontis Yes, but keep in mind https://developers.eveonline.com/blog/article/sso-endpoint-deprecations-2 as well. I.e. any day now the refresh token may change when you use it to get a new access token. So ideally use a dedicated SSO lib for your lang, or at least don't forget to handle that case.