How to do non-interactive oauth2 api call?

Question

I have a Wordpress cron script that calls OAuth2 api at fixed intervals. The OAuth2 authorization needs a user to visit a web page and click the "Allow" button to authorize, which is impossible in non-interactive environment. I would like to know the standard way to handle this. I wish I could just put the client_id and client_secret in the php script and all done. After all, both the user and the script developer are the same: me myself, and there should be no need to do the authorization.

Answer 1

You can simulate the complete auth code flow with pkce using file_get_contents, $http_response_header and stream_context_create.

The script would have steps like:

1. build the authorization_url and do get request
2. detect the redirect to a login page, grep the csrf token from the html
3. post username, password and csrf token and detect redirect url to authorize page
4. parse authorize page, grep csrf token if any and post to accept permissions
5. detect callback url and take the code from the get parameters
6. post code and other requirements to token_url and decode the received tokens

I have created a script like this for an OpenId Connect project, but it does not have login and authorize pages. You can find an example here: https://github.com/ronvanderheijden/openid-connect/blob/main/example/get_tokens