With an understanding of how to retrieve data from the public CREST API endpoints, I want to get down the authentication side of things before I get into the fun stuff.

Third-party applications for EVE Online can now make use of the Single Sign On (SSO) user flow, allowing users to authenticate the application via the EVE login servers. This is great for web-based applications but causes a bit of hassle for non-web applications. I’ll try and explain. This is a successful use case for a third-party web application:

  1. The user goes to a third-party web application and clicks a “Sign in with EVE” button
  2. The user is directed to the EVE Login and logs in
  3. The user is shown what permissions the application requires and agrees
  4. The user is redirected back to the third-party web application with an authorization token in the URL
  5. The third-party web application grabs the token and exchanges it for an access token
  6. The third-party web application can now make authenticated requests on the user’s behalf

Now, most of these steps are similar for a non-web application except the nice bit at step 5, where the web application grabs the auth token discreetly from the URL. In order to get on with the challenge and not get bogged down in a nice solution for non-web, I’ve basically set up a PHP page that the SSO workflow uses as the redirect:


This just grabs the authorization token (the property following ?code= in the URL) with the following PHP:

echo $_GET['code'];

The authorization code can now be copied and pasted by the user into the application, which will then exchange it for an access token. This is done with a simple HTTP POST like so:

_www = new WWW("https://login.eveonline.com/oauth/token", _data, _headers);

The _data member represents the authorization token received by the user, and the _headers member contains a 64-bit encrypted application ID and secret key to validate the request for an access token.

Links in this post