Launching /v2/account (w/ Authentication)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Pat Cavit.9234

Pat Cavit.9234

Web Programming Lead

Next

!!! OAuth2.0 has been DISABLED !!!

For more information please see the API Key Announcement for more details.

Original post follows

As I mentioned in the Authenticated APIs delayed to week of 2/23 thread we got very close last week to being able to enable to the /v2/account API. Couldn’t quite seal the deal, but the good news is we’ve finished crossing our "t"s and dotting our "i"s on the configuration side of things and everything looks good to go!

So, details. This is considered BETA-quality at the moment and will be more fully fleshed-out later.

/v2/account currently gets you four basic pieces of information.

  1. The user has a GW2 account
  2. User’s Account ID (not the game account ID)
  3. User’s Account Name
  4. User’s World ID (which you can correlate to /v2/worlds)

Usage is pretty standard OAuth2, the endpoint details are as follows:

Scopes are a space delimited list, currently we only support two:

  • account – gives you basic access to the account. It’s required for pretty much any interaction.
  • offline – gives you a refresh token in addition to the access token. The refresh token allows you to continue obtaining access tokens after they expire. You’ll probably want this for any non-trivial app.

To access the API you’ll need to turn the code returned by /oauth2/authorization into an access token using /oauth2/token, and then you can use that against /v2/account by passing the following header in your request:

  • Authorization: Bearer <access token>

I’ve got a pull request against the api-cdi github repo that provides a small example script written for NodeJS. This is the bare-minimum necessary to make a sucessful request, it is nowhere near production-ready. That should be immediately clear when you see that the directions ask you to copy URL params out of the location bar to pass to another script. I think Lawton’s going to be posting a more complete example in Go shortly.

The UI for managing applications via the account site isn’t ready yet, so we’ve got ahead and created a demo application that you can use for the OAuth2 flow. This application only supports redirects to localhost, so unfortunately you won’t be able to build anything you can ship just yet.

We’re hoping to get the UI for registering & managing applications ready by next week. Sorry about that, there just wasn’t time to get it to where we’re happy with it and we wanted to get the authenticated API endpoint active sooner rather than later.

(edited by Pat Cavit.9234)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Khisanth.2948

Khisanth.2948

What is the difference between the account ID and account name?

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Pat Cavit.9234

Previous

Pat Cavit.9234

Web Programming Lead

Next

What is the difference between the account ID and account name?

ID is a GUID, Name is a string like the one you can enter into the contacts list in-game.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Lawton Campbell

Previous

Lawton Campbell

Web Programmer

Next

What is the difference between the account ID and account name?

ID is a GUID, Name is a string like the one you can enter into the contacts list in-game.

Name is also what’s displayed on the forums.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Terrasque.8735

Terrasque.8735

I’m completely new to Oauth, so bear with me here.. I’ve read https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified as a simple introduction, and from what I can see it – at least for this app – requires a web server to get the callback, right?

Is there a way for a native app, like a command line script, to get a token for an account?

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Lawton Campbell

Previous

Lawton Campbell

Web Programmer

Next

I’m completely new to Oauth, so bear with me here.. I’ve read https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified as a simple introduction, and from what I can see it – at least for this app – requires a web server to get the callback, right?

Is there a way for a native app, like a command line script, to get a token for an account?

OAuth2 is more-or-less designed for web applications.

If there’s a lot of demand for native applications we can look into adding EVE-style API keys (wherein the user can generate a long-lived token via the account site and copy-paste it into your application), but for now just assume that you need a webserver.

Also, unrelated, I pushed my example Go application to the Github repo.

(edited by Lawton Campbell.8517)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Pat Cavit.9234

Previous

Pat Cavit.9234

Web Programming Lead

Next

Google has some useful documentation, we don’t support their urn: formatted redirects but you could open a small webserver to receive the redirect. That has all sorts of hurdles around forwarded ports and such of course, it’s not ideal.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: drmadison.1385

drmadison.1385

Also for mobile apps, it’s standard to give a redirect / response URL that’s handled internally by the app (both iOS and Android SDKs allow you to control a WebView and see any URL’s attempted to navigate to).

In this case you’d grab the response URL and send the data to your own code instead of a web server…so you don’t specifically NEED a webserver, just a web view that enables you to handle the response.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Remfin.4892

Remfin.4892

I’m putting together a .NET (C#) example…it’s not nearly as compact as a node or go example, but whatever :P

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Remfin.4892

Remfin.4892

A C# example of using a temporary token to get account information:

https://github.com/Remfin/GuildWars2.API.Authenticated.Samples

The real code is in one file:

https://github.com/Remfin/GuildWars2.API.Authenticated.Samples/blob/master/GuildWars2.Samples.Account/GuildWars2.Samples.Account/Controllers/HomeController.cs

Obviously not even remotely production-ready, but at the end of the callback method I now know that the browser I’m talking to is that person, and I could (kind of) use it authenticate users into my website without having to have my own user/pass system.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: smiley.1438

smiley.1438

but at the end of the callback method I now know that the browser I’m talking to is that person, and I could (kind of) use it authenticate users into my website without having to have my own user/pass system.

That’s basically what the “Login with Google/Facebook/Twitter” button on many websites does.

Btw. for PHP users: https://code.google.com/p/simple-php-oauth/

class GuildWars2 extends SimpleOauth{
	protected $_prefix = 'guildwars2';
	protected $_authorize_url = 'https://account.guildwars2.com/oauth2/authorization';
	protected $_access_token_url = 'https://account.guildwars2.com/oauth2/token';
	protected $_scope = ['account', 'offline'];

	protected function authorize(array $scope = [], $scope_separator = '+', $attach = null){
		parent::authorize($scope, $scope_separator, '&response_type=code');
	}

	protected function requestAccessToken(
		$method = 'GET', 
		array $params = ['grant_type' =&gt; 'authorization_code'], 
		$returnType = 'json', 
		array $values = ['access_token', 'token_type', 'scope', 'refresh_token']
	){
		parent::requestAccessToken($method, $params, $returnType, $values);
	}

}

€: https://gist.github.com/codemasher/89a909626724d929fd04

(edited by smiley.1438)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Lawton Campbell

Previous

Lawton Campbell

Web Programmer

Next

A C# example of using a temporary token to get account information

I’d recommend just using an existing OAuth2 client library. More meat for the dollar and all.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Glyph.7805

Glyph.7805

This is awesome! Thank you for the hard work, this will be very useful for my website!
I’ll get this up and running to show it off as soon as my hosting gets cleared!

(edited by Glyph.7805)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: spiritus.7983

spiritus.7983

aham, I understand nothing of this.

Evil, GH -Charr rule.
A Skritt is dumb. A group of Skritt are smart.
A Human is smart. A group of Humans are idiots.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: chaly.7638

chaly.7638

thankyouthankyouthankyouthankyouthankyouthankyouthankyouthankyou
:-)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Thuron.5648

Thuron.5648

It’s great to see what awesome things you guys have been making! Can’t wait to start using this. Keep up the great work

http://www.gw2battlesupport.com/ – World’s first dynamic WvW Overlay

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Ruhrpottpatriot.7293

Ruhrpottpatriot.7293

OAuth2 is more-or-less designed for web applications.

If there’s a lot of demand for native applications we can look into adding EVE-style API keys (wherein the user can generate a long-lived token via the account site and copy-paste it into your application), but for now just assume that you need a webserver.

Also, unrelated, I pushed my example Go application to the Github repo.

I’d love to see EVE style API keys (seriously EVE probably has the best game API out there).
Since we from GW2.NET develop towards both ends (i.e. Web and Desktop) we are in need of something which does not need a callback server. Building towards only one end is in my eyes a bit narrow minded and we would like to see support for API-Keys.

I really think the demand is there. If we look at the wrapper section in the wiki we can see that a good portion of them are written in languages mainly used for desktop applications. The list of applications looks a bit different, still a good portion of desktop stlye applications. However I think most of these applications will use one of the previously listed wrappers, especially if it gets to complicated things like authentication, since this makes everything a lot easier.

Administrator of GW2.NET: GitHub , Forum , NuGet

(edited by Ruhrpottpatriot.7293)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: chaly.7638

chaly.7638

@Pat & Lawton
maybe you want to change the information description for users?
I know.. this is bleeding edge, but maybe you want to keep this in mind during release:

Currently a user will be asked if the application is allowed to see some “general account information”.
As good as I know my ppl from Germany (maybe this isn’t a German-thing after all?) they care about what this general information may be.

If the application is only able to see the name of the account and its world just tell the user or give him/ her examples. The “general information” is too generic and maybe understood as realname, address information, ..

Cheers,
Chaly

(edited by chaly.7638)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Creativewild.6319

Creativewild.6319

@Pat Cavit @Lawton Campbell

You guys just made my day, I’ve been waiting for this one.

I assume this in the future this will allow us to retrieve information like Achievement points,
and account characters from the /v2/characters endpoint?

for the last year I have been developing a custom CMS dedicated exclusively to Guild Wars 2, so you can see how this integration is an awesome news for me ( even bigger than the expansion)

The API is fully integrated on the system, its used from simple item views to fully track the user investments on TP

This is the cherry on the top of CMS, I really believe this will make our users really happy.

Guys, again you have made my day.

Heros forged in the heat of battle – Herois Lusitanos – https://www.heroislusitanos.com

Launching /v2/account (w/ Authentication)

in API Development

Posted by: BugsBanni.1397

BugsBanni.1397

Hey, first of all, I’m super hyped with this, cause if we get more API’s there are super cool things to do with it, I can’t wait to see that things^^

BUT are you serious, Anet? That formatting isn’t funny at all -.-

Attachments:

Launching /v2/account (w/ Authentication)

in API Development

Posted by: ntf.7849

ntf.7849

Need some help for this error. Is there anything I am missing?

https://account.guildwars2.com/oauth2/token?grant_type=authorization_code&redirect_uri=http://localhost:8080/oauth2/callback&client_id=gw2_api_demo&client_secret=0357A930-2126-4C87-A006-5AB470298ADA&code=[INSERT-CODE-HERE]


{
error: "internal_error",
error_description: "49:1014:8008:353"
}
Ntf [MYTH]

Launching /v2/account (w/ Authentication)

in API Development

Posted by: smiley.1438

smiley.1438

Launching /v2/account (w/ Authentication)

in API Development

Posted by: chaly.7638

chaly.7638

BUT are you serious, Anet? That formatting isn’t funny at all -.-

Most of the account site isn’t compatible at a resolution less than 800px width.
You may want to take a look at https://account.guildwars2.com/account/security having the same issue as you mentioned above.

Nobody ever had a problem with the account website on mobile devices. This may change when ppl start using authorized apps on their phones or tablets.
Anyway, I don’t think this is a critical bug, it’s just ..erm..

Instead I really care about the “general account data” information because of my overcautious countrymen in the EU as mentioned above. Even if this one seems to be a cosmetic issue too.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: chaly.7638

chaly.7638

I also used SimpleOpenAuth ,if we’d just already can register apps..

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Pat Cavit.9234

Previous

Pat Cavit.9234

Web Programming Lead

Next

The account site is from a time before we had the resources to focus on the mobile experience, so it’s pretty bad right now. We’re aware of it and actively working on a solution.

App registration should be coming “soon”. There’s still some issues we need to solve before it’s something we want external folks to use.

App keys is something we can discuss longer-term as part of the API CDI, this isn’t really the thread for it. As of right now OAuth2 is the only supported authentication method and we don’t have any infrastructure in place to support anything else.

We’ll work on making those strings a little more specific, if anyone has any examples of sites that do a really good job of describing OAuth scopes in consumer-friendly language I’d love a link. Most in my experience has been similarly-generic text.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Khisanth.2948

Khisanth.2948

What is the difference between the account ID and account name?

ID is a GUID, Name is a string like the one you can enter into the contacts list in-game.

Name is also what’s displayed on the forums.

In that case I suggest some renaming.

Account Name is the email address according to the launcher and what is displayed on the forum is usually referred to as the Display Name.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: veggies.2178

veggies.2178

@Pat Cavit @Lawton Campbell

You guys just made my day, I’ve been waiting for this one.

I assume this in the future this will allow us to retrieve information like Achievement points,
and account characters from the /v2/characters endpoint?

for the last year I have been developing a custom CMS dedicated exclusively to Guild Wars 2, so you can see how this integration is an awesome news for me ( even bigger than the expansion)

The API is fully integrated on the system, its used from simple item views to fully track the user investments on TP

This is the cherry on the top of CMS, I really believe this will make our users really happy.

Guys, again you have made my day.

Ola tuga

Let me know what site u use so i can take a look, here is the one i use for TWIN with fubared login http://axyd.us/joomla/

Axyd — [TWIN]

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Lawton Campbell

Previous

Lawton Campbell

Web Programmer

Next

What is the difference between the account ID and account name?

ID is a GUID, Name is a string like the one you can enter into the contacts list in-game.

Name is also what’s displayed on the forums.

In that case I suggest some renaming.

Account Name is the email address according to the launcher and what is displayed on the forum is usually referred to as the Display Name.

Yeah, but the API is never going to provide the “account name” (e.g., you’ll never be able to access email addresses), so just referring to the “display name” as “name” is fine, I think.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Remfin.4892

Remfin.4892

Is the ID, Name, or both primary/unchanging keys?

I imagine that same question is going to come up again for characters

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Lawton Campbell

Previous

Lawton Campbell

Web Programmer

Next

Is the ID, Name, or both primary/unchanging keys?

I imagine that same question is going to come up again for characters

ID is immutable, Name is not. There are situations where an account’s name will change, though they are rare.

Characters do not have an immutable identifier that we can expose

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Nabrok.9023

Nabrok.9023

The OAuth2 library I am using (perl’s Net::OAuth2) wants to add “Host: account.guildwars2.com:443” to the access token request header. This results in a 403 error from the server.

It works fine if the header is set to “Host: account.guildwars2.com” or left out entirely.

I was able to make changes to the library code to fix it for myself, but other users and possibly other libraries may come across this problem.

“I’m not a PvE, WvW, or PvP player – I am a Guild Wars 2 player”
Tarnished Coast – Dissentient [DIS]
All classes

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Pat Cavit.9234

Previous

Pat Cavit.9234

Web Programming Lead

Next

The OAuth2 library I am using (perl’s Net::OAuth2) wants to add “Host: account.guildwars2.com:443” to the access token request header. This results in a 403 error from the server.

It works fine if the header is set to “Host: account.guildwars2.com” or left out entirely.

I was able to make changes to the library code to fix it for myself, but other users and possibly other libraries may come across this problem.

Interesting. My current browser doesn’t appear to send :443 for HTTPS requests, the spec is a bit ambiguous on the issue. We’ll take a look.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Lawton Campbell

Previous

Lawton Campbell

Web Programmer

Next

The OAuth2 library I am using (perl’s Net::OAuth2) wants to add “Host: account.guildwars2.com:443” to the access token request header. This results in a 403 error from the server.

It works fine if the header is set to “Host: account.guildwars2.com” or left out entirely.

I was able to make changes to the library code to fix it for myself, but other users and possibly other libraries may come across this problem.

Could you capture and paste the request that’s returning 403 (make sure to remove the “code” and “client_secret” parameters from the query string)? I’m totally unable to reproduce the behavior from the host header alone.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Nabrok.9023

Nabrok.9023

The OAuth2 library I am using (perl’s Net::OAuth2) wants to add “Host: account.guildwars2.com:443” to the access token request header. This results in a 403 error from the server.

It works fine if the header is set to “Host: account.guildwars2.com” or left out entirely.

I was able to make changes to the library code to fix it for myself, but other users and possibly other libraries may come across this problem.

Could you capture and paste the request that’s returning 403 (make sure to remove the “code” and “client_secret” parameters from the query string)? I’m totally unable to reproduce the behavior from the host header alone.

Sure, I attached the two request headers (one that works, one that doesn’t) to avoid forum formatting.

Same thing is happening with any of the endpoints, here’s a test perl script ….


#! /usr/bin/perl

use LWP::UserAgent;

my $ua = LWP::UserAgent->new;

my $api_uri = 'https://api.guildwars2.com';
my $url = $ARGV[0] || $api_uri.'/v2/build';

my $response_with_port = $ua->get($url, Host => 'api.guildwars2.com:443');
my $response_without_port = $ua->get($url, Host => 'api.guildwars2.com');

print "With port: ".$response_with_port->status_line."\n";
print "Without port: ".$response_without_port->status_line."\n";

exit;

And the results …


With port: 403 Forbidden
Without port: 200 OK
“I’m not a PvE, WvW, or PvP player – I am a Guild Wars 2 player”
Tarnished Coast – Dissentient [DIS]
All classes

(edited by Nabrok.9023)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: smiley.1438

smiley.1438

We’ll work on making those strings a little more specific, if anyone has any examples of sites that do a really good job of describing OAuth scopes in consumer-friendly language I’d love a link. Most in my experience has been similarly-generic text.

GitHub.

https://help.github.com/articles/connecting-with-third-party-applications/

Attachments:

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Moturdrn.2837

Moturdrn.2837

Thanks Pat, Lawton, and everyone else there working on the APIs!

Looking forward to being able to register applications for use with this, it’ll take some of the headache out of user authentication

Midnight Mayhem [MM] – Gunnar’s Hold
Visko Bludhaven – Level 80 Human Elementalist
Gunnar’s Hold Server Forum

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Nicsword.3956

Nicsword.3956

I am getting mixed results when retrieving back account data from using the token.
One of my accounts returns back “undefined” while the other does return the four pieces of information. The only difference I can think of is that the account with undefined results has the mobile authenticator enabled. Anyone else have similar result?

Attachments:

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Pat Cavit.9234

Previous

Pat Cavit.9234

Web Programming Lead

Next

I am getting mixed results when retrieving back account data from using the token.
One of my accounts returns back “undefined” while the other does return the four pieces of information. The only difference I can think of is that the account with undefined results has the mobile authenticator enabled. Anyone else have similar result?

I’ve got TOTP on my account I used for testing w/o any problems. I’ll give it another shot in a bit here to see if I can repro.

You could also modify the node script to dump out more info after the request, modify https://github.com/arenanet/api-cdi/blob/master/examples/auth-nodejs/request.js#L19 to say

console.log(arguments);

and you should be able to get a bit more info in the error case.

(edited by Pat Cavit.9234)

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Olsria.9608

Olsria.9608

I get through the oauth redirect/callback ok and swap the code for an access_token successfully. Requests to /v2/accounts result in {"text":"ErrBadData"}

Trying the node.js scripts results in printing “undefined”

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Nabrok.9023

Nabrok.9023

I get through the oauth redirect/callback ok and swap the code for an access_token successfully. Requests to /v2/accounts result in {"text":"ErrBadData"}

Trying the node.js scripts results in printing “undefined”

I’m now getting the same error. Was working yesterday.

“I’m not a PvE, WvW, or PvP player – I am a Guild Wars 2 player”
Tarnished Coast – Dissentient [DIS]
All classes

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Pat Cavit.9234

Previous

Pat Cavit.9234

Web Programming Lead

Next

Yeah, something’s gone pear-shaped. Investigating.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Pat Cavit.9234

Previous

Pat Cavit.9234

Web Programming Lead

Next

Lawton found the cause. He’s chatting with some folks about how to a) fix it and b) prevent it from breaking like this in the future.

Quick reminder…

This is considered BETA-quality at the moment

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Lawton Campbell

Previous

Lawton Campbell

Web Programmer

Next

Lawton found the cause. He’s chatting with some folks about how to a) fix it and b) prevent it from breaking like this in the future.

Quick reminder…

This is considered BETA-quality at the moment

The error should now be resolved. Sorry about that.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Nicsword.3956

Nicsword.3956

Lawton found the cause. He’s chatting with some folks about how to a) fix it and b) prevent it from breaking like this in the future.

Quick reminder…

This is considered BETA-quality at the moment

The error should now be resolved. Sorry about that.

You guys are awesome, the account works for me now.

Launching /v2/account (w/ Authentication)

in API Development

Posted by: I Am Dansker.7105

I Am Dansker.7105

How long does the access token and refresh token last before they expire?

Far Shiverpeaks

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Nabrok.9023

Nabrok.9023

How long does the access token and refresh token last before they expire?

Yes, could we get “expires_in” included with the access/refresh token response please?

“I’m not a PvE, WvW, or PvP player – I am a Guild Wars 2 player”
Tarnished Coast – Dissentient [DIS]
All classes

Launching /v2/account (w/ Authentication)

in API Development

Posted by: aRestless.6213

aRestless.6213

It’s as offtopic as it gets, but I just wanted to throw in that I’m really amazed by these threads and the work on the repo. This is real collaboration and motivates me as a developer immensely.

Thank you for working with us!

Never lose track of your friends again, with Who’s Talking for Overwolf

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Teranas.6150

Teranas.6150

Just finished my work on OAuth 2 thirdparty authentication and API implementation for WoltLab Burning Boards.

Can’t wait for the app registration release =D

You did great job there

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Raif.9507

Raif.9507

Thanks for the new update! This should open up some awesome new avenues for apps. I’ll make sure that all the participants in the Overwolf app challenge are aware of this.

~ Raif the Overwolf Community Manager

Asharìa March – 80 Elementalist
Co-Guild Leader of Prime Defense on Sanctum of Rall – www.Primedefense.net

Launching /v2/account (w/ Authentication)

in API Development

Posted by: Lawton Campbell

Previous

Lawton Campbell

Web Programmer

Next

How long does the access token and refresh token last before they expire?

I wanna say … a day?

Yes, could we get “expires_in” included with the access/refresh token response please?

Will definitely look into adding that.

I think an okay heuristic for now is to request the “offline” scope and use the refresh token if your access token is a few hours stale. I’m not sure what the turnaround time for getting expires_in on that endpoint is going to look like.