This content has been translated automatically.  Click here  to view the French version.
Help / WLanguage / WLanguage functions / Communication / Managing the OAuth 2.0 protocol
  • Properties specific to OAuth2Parameters variables
  • Operating mode of OAuth 2.0 authentication
  • PKCE authentication
WindowsLinuxUniversal Windows 10 AppJavaReports and QueriesUser code (UMC)
WindowsLinuxPHPWEBDEV - Browser code
AndroidAndroid Widget iPhone/iPadIOS WidgetApple WatchMac CatalystUniversal Windows 10 App
Stored procedures
The OAuth2Parameters type is used to define the information required to authenticate on a web service implementing the OAuth 2.0 standard. These characteristics can be defined and changed using different WLanguage properties.
This type of variable must be passed as parameter to AuthIdentify. If authentication is successful, this function returns an Variable of type AuthToken, which can be used to make authenticated requests to the Web service.
Remark: For more details on the declaration of this type of variable and the use of WLanguage properties, see Declaring a variable.
// Example used to retrieve a token to perform a request on Dropbox
OAuth2Params is OAuth2Parameters
OAuth2Params.ClientID = "01234567890123456789" 
OAuth2Params.ClientSecret = "98765432109876543210"
OAuth2Params.AuthURL = ""
OAuth2Params.TokenURL = ""
OAuth2Params.AdditionalParameters = "force_reapprove=false"
<COMPILE IF ConfigurationType<>SITE>
// If you are not using a website, you need to specify a localhost redirect URL
OAuth2Params.RedirectionURL = "http://localhost:9874/"

// Ask for authentication: opens the login window
MyToken is AuthToken = AuthIdentify(OAuth2Params)

// Request authenticated on a Dropbox API
req is httpRequest
req.Method = httpPost
req.URL = ""
req.AuthToken = MyToken // Authentication token
req.ContentType = "application/json"
vAPIParam is Variant
vAPIParam.path = "/Homework/math"
vAPIParam.recursive = False
vAPIParam.include_media_info = False
vAPIParam.include_deleted = False
vAPIParam.include_has_explicit_shared_members = False
req.Content = VariantToJSON(vAPIParam)

HTTPresponse is httpResponse = HTTPSend(req)
let Data = JSONToVariant(HTTPresponse.Content)
// Use the incoming data...

Properties specific to OAuth2Parameters variables

The following properties can be used to handle the information required to perform the authentication:
Property nameType usedEffect
AdditionalParametersCharacter stringParameters of the first authentication request. This string must be formatted as URL parameters.
AuthURLCharacter stringAuthorization URL to be used (first URL of OAuth 2.0 specification).
ClientIDCharacter stringClient ID provided by the service when registering the application.
ClientSecretCharacter stringSecret application access code. This code is provided by the service when registering the application.
GrantTypeConstantGrant type available. The possible values are:
  • gtClientCredentials: Authentication without login window. The access authorization is given to the application (not to the user). The token provided to access the resources of the application is linked to the application itself.
  • gtAuthorizationCode (Default value): The access authorization is given to the user. A login window appears to let users enter their username and password. The access token is linked to the user.
New in version 2024
Integer constantAuthentication options:
  • authDefault: OAuth authentication by default.
  • authPKCE: Authentication via PKCE (Proof Key for Code Exchange).
Remark: PKCE provides additional security compared to OAuth. In some cases, although PKCE is used, it may be necessary to specify the secret key (ClientSecret property). We advise you to check the information expected by the platform used.
RedirectionURLCharacter stringRedirection URL to use during the authentication mechanism.
WINDEVAndroid For a Windows or Android application, this URL must have the following format: "http://localhost:PortNumber". This value must be exactly the same as the one specified when declaring the application in the corresponding web service.
iPhone/iPad This property must be specified. It corresponds to the redirect URL scheme specified by the web service provider for iOS.
  • for Facebook, the URL must have the following format: "fb<ClientID>://authorize/".
  • for Google, the URL must have the following format: "<iOS URL scheme>:/oauth2redirect", where:
    • <iOS URL scheme> corresponds to the value provided by Google when creating an OAuth client ID for iOS.
    • "/oauth2redirect" is an example of a value. This parameter can be any value starting with a single forward slash "/" (for example, "//oauth2redirect" is not supported).
WEBDEV - Server code For a WEBDEV website, this URL is calculated automatically. Therefore, there is no need to assign the property.
This URL must be specified in the configuration of the authentication service provider application. It has the following format:
HTTPS will be automatically used if necessary in the redirect URL.
If an HTTP proxy acts as an intermediary between the WEBDEV Application Server that hosts the site and the authentication server, the proxy must be configured to indicate the right protocol in the "Forwarded" HTTP environment variable.
ResponseTypeCharacter string or constantType of response expected. The possible values are:
  • oauth2ResponseTypeCode (or "Code"): The response is of type "Code".
  • oauth2ResponseTypeToken (or "Token"): The response is of type "Token".
The default value is oauth2ResponseTypeCode.
  • For a "personal" authentication, the response type must be "Token".
  • In the case of an authentication for an API or service (e.g. Google mail server), the response type must be "Code".
ScopeCharacter stringRequested permissions. The possible values are specific to the web service used.
The possible values must be separated by a space.
TokenURLCharacter stringURL for retrieving the access token to use (second URL of OAuth 2.0 standard).

Operating mode of OAuth 2.0 authentication

The steps of OAuth 2.0 authentication performed by AuthIdentify are as follows:
  • Running a first HTTP request to ask for an authorization (authorization URL specified in the OAuth2Parameters variable).
  • Opening an OAuth 2.0 authentication window. The authentication window is defined by each service.
  • After the authentication, the server returns an authorization code to request an access token. This code is added as parameter of second URL (access token URL specified in the OAuth2Parameters variable).
  • Running the second HTTP request to ask for the access token. The result is a JSON buffer that contains, among other elements, the access token ("access_token") to be used for the requests that require authentication. The AuthToken variable contains the information found in this JSON buffer. This access token will be used by the calls to the APIs of the web service.
To use the APIs of the web service, simply use HTTPSend with a variable of type httpRequest defining the request to be executed.
The AuthToken variable will be assigned to the AuthToken property of the httpRequest variable (see example).
In this case, the server will receive the HTTP "Authorization" header with a value in the following format: "Authorization: Bearer xxx_access_token_xxx".
  • If the server does not return the access token in the format of JSON code according to the OAuth2.0 standard, an error will occur and the token will not be retrieved. The server response can be retrieved via the ServerResponse property of the AuthToken variable.
  • If the server does not support the HTTP "Authorization" header for transmitting the access token, this transmission must be done by the developer according to the format expected by the requested service.
    The following example allows you to use the web service of Facebook. In this case, the access token must be specified on the request URL.
    • WINDEVAndroid Code sample for Facebook
      // Example used to retrieve the name of the Facebook account
      MyToken is AuthToken
      MyTokenParam is OAuth2Parameters

      MyTokenParam.ClientID = "123456789012345"
      MyTokenParam.ClientSecret = "45g8jh5kll45579021qsg5444j"
      MyTokenParam.AuthURL = ""
      MyTokenParam.TokenURL = ""
      MyTokenParam.RedirectionURL = "http://localhost:9874/"
      MyTokenParam.Scope = "email"

      MyToken = AuthIdentify(MyTokenParam)
      IF MyToken <> Null THEN
      IF ErrorOccurred THEN
      // Token specified on the request URL
      HTTPRequest("" + MyToken.Value)
      vMyRes is Variant = JSONToVariant(HTTPGetResult(httpResult))
      // Retrieve the account name
    • iPhone/iPad Code sample for Facebook:
      MyToken is AuthToken
      MyTokenParam is OAuth2Parameters
      MyTokenParam.ClientID = "1705548803004741"
      MyTokenParam.ClientSecret = "7b3305a5aa1687ef04af001ec3388ecc"
      MyTokenParam.AuthURL = ""
      MyTokenParam.TokenURL = ""
      MyTokenParam.RedirectionURL = "fb1705548803004741://authorize/"
      MyTokenParam.Scope = "email"

      MyToken = AuthIdentify(MyTokenParam)
      IF MyToken <> Null THEN
      IF ErrorOccurred THEN
      // Token specified on the request URL
      HTTPRequest("" + MyToken.Value)
      vMyRes is Variant = JSONToVariant(HTTPGetResult(httpResult))
      // Retrieve the account name
New in version 2024

PKCE authentication

PKCE authentication example:
OAuth2Params is OAuth2Parameters
OAuth2Params.ClientID = "D90iXZWlteM3ESORkGkoWyGkJuxifE1z"
OAuth2Params.Option = authPKCE
OAuth2Params.AuthURL = ""
OAuth2Params.TokenURL = ""
OAuth2Params.RedirectionURL = "http://localhost:9874"
OAuth2Params.Scope = "openid email"

MonToken is AuthToken = AuthIdentify(OAuth2Params)
IF MonToken <> Null _AND_ NOT ErrorOccurred THEN
MonIdentité is OpenIDIdentity = OpenIDReadIdentity(MonToken)
IF MonIdentité.Valid THEN
Info("Echec" + ErrorInfo(errFullDetails))
Related Examples:
WD OAuth Training (WINDEV): WD OAuth
[ + ] OAuth allows you to act as user of an external platform without knowing the identifiers (user name and password) of this user.
Several external platforms (among which Google, Twitter, Facebook) propose APIs for which you have the ability to connect with the information belonging to one of their users. This identification is performed via OAuth. Therefore, all the requests performed on their services (API, ...) will require an access token identifying both the application (the "client") and the user.
The example proposes to connect to Google and Microsoft via the AuthConnect function and the OAuth2Parameter type.
Minimum version required
  • Version 22
This page is also available for…
Click [Add] to post a comment

Last update: 03/08/2024

Send a report | Local help