VK API - how to check on the server side the access_token received from the standalone/mobile application?

Denis Morozov2014-03-13 08:34:40

In contact with

Denis Morozov, 2014-03-13 08:34:40

The scheme is as follows:
1. the user logs in to the mobile application via vk
2. receives an access_token
3. transfers it to the server
4. this access_token is checked on the server and the user id corresponding to this access_token is obtained (in FB it is analogous to https://graph. facebook.com/me?access_token=...)
5. the server automatically registers/logs in the user
I try to use the secure.checkToken method:
1. vk.com/dev/auth_server - here I got an access_token
2. I make the following request:

https://api.vk.com/method/secure.checkToken?token=<user_access_token>&client_secret=<app_secret>&access_token=<access_token>

in response I get:

{"error":{
     "error_code":15,"error_msg":"Access denied: Incorrect token sig_param",
     "request_params":[
          {"key":"oauth","value":"1"},
          {"key":"method","value":"secure.checkToken"},
          {"key":"token","value":"<user_access_token>"},
          {"key":"client_secret","value":"<app_secret>"},
          {"key":"access_token","value":"<access_token>"}
     ]
}}

Answer the question

In order to leave comments, you need to log in

7 answer(s)

Dmitry Sikorsky, 2014-04-03
@morozovdenis

In general, I suffered for a couple of hours and managed to solve it by adding "offline" to scope. Binding by IP does not work in this case.

Oleg Kulyasov, 2014-05-14
@ka1eka

Check carefully that you are sending everything correctly. Just finished a task similar to yours. Everything works as it is written in the documentation.
First we get the access_token:
We receive in response:
Then we execute the secure.checkToken request:
We receive in response:
Addition: I get user_token from flash_vars (access_token) from a flash toy, and you get it through a mobile application, maybe that's why the behavior is different.

Dmitry Sikorsky, 2014-04-03
@DmitrySikorsky

Guys, did you find a solution? I faced the same issue. There is a table with users on the server, each user has many login methods. Accordingly, my server creates an authticket for mobile applications based on the user ID received from the application. Checking mail is easy (by password), Facebook is also easy, but there is a problem with VK due to the fact that the access token is tied to IP. What are some ideas? Thank you!

EduardTrayan, 2014-03-13
@EduardTrayan

According to this documentation, your request should look like

https://api.vk.com/method/secure.checkToken?token=<your_token>

EduardTrayan, 2014-03-13
@EduardTrayan

1. the user logs in to the mobile application via vk
2. receives an access_token
3. passes it to the server
If you log in a user through a mobile application, then again, judging by this manual, you receive a token and user ID in the query string, those are essentially these actions
i am trying to use secure.checkToken method:
you do not need
In general, describe what you want to do

Stepan, 2014-03-13
@L3n1n

Bad idea.. The token does not work because it is requested from one IP / software and is checked from another..
Instead of secure.checkToken, call another method, for example, getting information about the user or write your own method through execute that will do the check.. But keep in mind, since you are accessing the API from another place, VK will request a captcha from you.

lovesuper, 2020-05-27
@lovesuper

For 2020, the workflow looks like this:

https://api.vk.com/method/secure.checkToken?access_token=1581a9cd3481a9cd3481a9cd5534f00ff2334820481a9cd7a2e43ba39c6842ab16f8e65&client_secret=rtJbebd5vbAStnJyKwjA&v=5.21&client_id=7448000&token=8b31f3f6602885d6f479af9aab7cb7fe7c1a0487a47c64a7ef5e83daa23fe3001bbd5e9cc0c2967cef619

(in the admin panel of your application, you need to take the application ID, application access token and application secret)