4

I'm trying to get an access token from vKontakte (russian social network) via their OAuth2 API. This is how I make the call:

https://oauth.vk.com/authorize?client_id=12345&scope=wall,offline&redirect_uri=https://www.example.com/oauth/vk.php&display=page&v=5.24&response_type=token

I'm receiving an access token but if I try to post a message with it, I'm receiving this error:

//error: Permission to perform this action is denied for non-standalone applications: you should request token using blank.html page.

My app is a standalone application - why do I receive the error?

Uli
  • 2,625
  • 10
  • 46
  • 71

4 Answers4

3

I see that your "client_id" is '12345' - is it a fake ID, or a real one? Did you get a valid client_id from VK?

It appears that you should request the token via "blank.html":

https://oauth.vk.com/authorize?client_id=<app_id>&scope=...,wall,...&redirect_uri=https://oauth.vk.com/blank.html&response_type=token

(instead of vk.php, in your example)

OhadR
  • 8,276
  • 3
  • 47
  • 53
  • It's a fake one, I received a valid one from VK. – Uli Sep 06 '14 at 20:50
  • I'm not getting a token but a warning from VK: `Please do not copy the data from the address bar to third-party sites. So you can lose access to your account.` – Uli Sep 07 '14 at 09:37
  • maybe it is hard-coded in VK side, so you should redirect to blank.html in your app. for example: ...redirect_uri=https://www.example.com/oauth/blank.html... instead of vk.php. – OhadR Sep 07 '14 at 11:24
  • create a page in your app, blank.html, and try again. – OhadR Sep 08 '14 at 08:39
  • @OhadR I'm looking for a solution for this too. Isn't it required to use the VK URL `https://oauth.vk.com/blank.html` for the redirect in order to receive the token or am I wrong? Can you please explain it further or show me an example? – Jay Dec 15 '14 at 22:20
  • I dont really have a specific example for VK, but this is how oAuth works. Maybe they have examples in the documentations in their website... – OhadR Dec 16 '14 at 07:16
2

The steps that you have followed are correct.

The warning message Please do not copy the data from the address bar to third-party sites. So you can lose access to your account. will be displayed on the screen. Whereas, the actual access token will be found on the address bar.

AdrieanKhisbe
  • 3,899
  • 8
  • 37
  • 45
sahanaa ramkumar
  • 31
  • 2
0

That's exactly what it says it is - you cannot use implicit flow for non-standalone application. Instead, you should use authorization code flow, which is more secure for client applications.

Leonid Bor
  • 2,064
  • 6
  • 27
  • 47
0

After long research, I understood that the access_token which allows posting on a user's wall is in the URL of this page https://oauth.vk.com/blank.html whereas on this page an alert which says to the user

Please do not copy the data from the address bar to third-party sites. So you can lose access to your account.

so as a developer I have to convince the user that vk is wrong and that you must give the access_token ... Total confusion ... it's stupid how it works

Islem Boussetta
  • 41
  • 1
  • 7