E-shop verification using proxy pass and OAuth

If you need to save the settings for the individual installation of an addon, you can use the OAuth server to identify the e-shop’s admins.

By using this user authentication mechanism, you will be sure that the user is the actual administrator of the e-shop and you do not need to address its access credentials and authorization to edit the settings of your addon.

This is only a verification mechanism and does not allow you to save data (typically addon settings) – you must save the data yourself in your data structure.

The procedure assumes that you have an e-shop number stored in your API access token database. In other words, you can use the correct API access token from the e-shop number shopId.

The first step to identify a user and their e-shop is to determine the hostname OAuth server, against which you will validate the user’s identity.

1. Obtaining OAuth server address

Enter “Link to external addon settings” in the description of the addon.

If you enter #SHOP_ID# into the URL, this will be replaced by the actual e-shop id.
For example https://my-shoptet-addon.com/settings?eshopId=#SHOP_ID# will be replaced by https://my-shoptet-addon.com/settings?eshopId=12345

If you enter #LANGUAGE# into the URL, this will be replaced by the actual e-shop language.
For example https://my-shoptet-addon.com/settings?language=#LANGUAGE# will be replaced by https://my-shoptet-addon.com/setting?language=cs

If you enter #OAUTH_CODE# into the url, it will be replaced by the actual generated code. For example https://my-shoptet-addon.com/settings?oacode=#OAUTH_CODE# will be replaced by https://my-shoptet-addon.com/settings?oacode=abcd1234

You can use all helpers #SHOP_ID#, #LANGUAGE# and#OAUTH_CODE# in one url, system will replace them automatically.

From the eshopId you receive, you will find the corresponding API access token in your database and call the endpoint Eshop info. In the response, check array data.urls[] and look for object with ident having value oauth and use the value of url field as an OAuth server address of the user, who was logged in.

// your function to get the url from the reply of the endpoint (eshop info)
$baseOAuthUrl = getOAuthUrl($response);

2. Getting the OAuth access token

Next step is to get the OAuth access token, which will provide you with the identity of the user or e-shop.
ATTENTION: This OAuth access token is different from the OAuth access token you get when you install the addon.

In GET parameters, you get the parameter code or your prefered parameter name (based on set #OAUTH_CODE#).

$code = $_GET['code'];

We will compile a request parameter for the OAuth access token. The request is sent in the background, without the user’s knowledge.

$data = [
    // $code is the value from the GET parameter
    'code' => $code,
    // grant_type is always 'authorization_code'
    'grant_type' => 'authorization_code',
    // Your client id in OAuth server
    // This is an example only, the specific value can be found in
    // e-shop administration -> Link -> API partner -> Access to API
    'client_id' => '{$partnerProject->oauthClientId|escape}',
    // Your secret string for communication with OAuth server.
    // The specific value can be found in e-shop administration -> Link -> API partner -> Access to API.
    // Contact Shoptet, if client_secret is not available (for older API partners, it was not generated automatically)
    'client_secret' => '123l4kjl12k3j4ce098kjh34acghkyp4jsj1h324',
    // redirect_uri must be entered in addon settings as "URL for user authorization".
    // The OAuth server inspects whether the addresses are matching;
    // if the address entered in administration does not match with address sent, the OAuth server responds with error
    'redirect_uri' => 'https://my-shoptet-addon.com/code/',
    // Enter 'basic_eshop'
    'scope' => 'basic_eshop'
$url = $_SESSION['base_oauth_url'] . 'token';

Send POST request:

$curl = curl_init($url);
curl_setopt($curl, CURLOPT_POST, TRUE);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
$response = curl_exec($curl);
$err = curl_error($curl);

if ($err) {
    die("CURL Error: " . $err);

The reply will contain the access_token in JSON format:

$response = json_decode($response, TRUE);
$accessToken = $response['access_token'];

4. Getting the e-shop’s identity

The e-shop’s identity is obtained from the OAuth server response.

Submit a request to the OAuth server with an authorization header having the OAuth access token value.

Assemble the url you will be sending the request to:

$url = $_SESSION['base_oauth_url'] . 'resource?method=getBasicEshop';

The OAuth access token is sent in the request header:

$curl = curl_init($url);
curl_setopt($curl, CURLOPT_HTTPHEADER, ['Authorization: Bearer ' . $accessToken]);
$response = curl_exec($curl);

If the request is processed OK, it contains $response key success with value true.

{"success":true,"data":{"user":{"email":"novak@fenix.myshoptet.com","name":"Jan Novak"}, "project": {"id":159834,"url":"https:\/\/fenix.myshoptet.com\/","name":"F\u00e9nix"}}}

In $response in the data object project there are items id and url, which identify the e-shop.

$response = json_decode($response, TRUE);
$_SESSION['project_id'] = $response['data']['project']['id'];

Getting the project_id gives you the linked current user of your pages with the e-shop administrator.

Error identification
If the error occurs, in the $response key, there is an error and error_description

{"error":"You must use `client_secret`. Please contact us to obtain one.","error_description":null}