I'm trying to create a native Java-based client that interacts with the SurveyMonkey API.
SurveyMonkey requires generating a long-lived access token using OAuth 2.0, which I'm not very familiar with.
I've been googling for hours and I think the answer is no, but I just wanted to make sure:
Can I write a simple Java client to interact with SurveyMonkey,without having to set up my own redirect server in some cloud?
I think it is necessary to have my own online service to be able to receive tokens generated by OAuth 2.0. Can't I just have SurveyMonkey send the token directly to my client?
If I set up my own custom Servlet somewhere and use it as redirect_uri, the correct flow should be as follows:
Is this correct?
Yes, it is possible to use OAuth2 without a callback URL.RFC6749introduces several processes. The implicit flow (now deprecated[1]) and the authorization code flow(Authorization Code)require a redirect URI. However, the resource owner password credential process (also deprecated[1]) is not required.
Since the publication of RFC6749, other specifications have been published whichdo not requireany redirect URIs:
Additionally, when using OpenID Connect, the response pattern is not necessarily a redirect to the
redirect_uri
parameter, but can instead be a POST request to that endpoint. For more information, see theOAuth 2.0 Form POST Response Patternspecification.Regardless, if the above authorization type does not suit your needs, you can create acustom authorization type.
[1]:OAuth 2.1 Specification (Draft 07)
is not entirely accurate, the whole point of the OAuth process is that the user (the client on whose behalf you are accessing the data) needs to give you permission to access their data.
SeeAuthentication Instructions. You need to send the user to the OAuth authorization page:
This will show the user a page telling them which parts of their account you are requesting access to (e.g. view their surveys, view their responses, etc.). Once the user approves by clicking "Authorize" on that page, SurveyMonkey will automatically jump to the page you set as the redirect URI (make sure the redirect URI in the above URL matches the one set in your application settings) and back Authorization code.
So if your redirect URL is
https://example.com/surveymonkey/oauth
, SurveyMonkey will redirect the user to that URL using the authorization code:https://example.com/surveymonkey/oauth?code=
You will then need to use that authorization code to exchange the access token by sending a POST request to
https://api.surveymonkey.net/oauth/token?api_key=
and provide The following POST parameters:This will return an access token which you can then use to access data on the user account. You do not need to give the access token to the user, it is for you to use to access the user account. No polling or other operations required.
If you are only accessing your own account, you can use the access token provided on the application settings page. Otherwise, there is no way to get access tokens for users unless you set up your own redirect server (unless all users belong to the same group, i.e. multiple users under the same account; but I won't go into that). SurveyMonkey needs a place to send authorization codes to you, you can't just request one.