Implementing the SSO¶
The recommended flow for web applications where the client secret can be stored on a server is the Authorization Code Grant documented here.
For those that don’t feel like reading the standard, the authentication is really just a series of HTTP requests and redirects described in this document.
Redirect to the SSO¶
When a user clicks the login button on your website you need to redirect the user to
https://login.eveonline.com/oauth/authorize with the following query string parameters:
- response_type: Must be set to “code”.
- redirect_uri: After authentication the user will be redirected to this URL on your website. It must match the definition on file in the developers site.
- client_id: A string identifier for the client, provided by CCP.
- scope: The requested scopes as a space delimited string.
- state: An opaque value used by the client to maintain state between the request and callback. The SSO includes this value when redirecting back to the 3rd party website. While not required, it is important to use this for security reasons. http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html explains why the state parameter is needed.
The user will need to log into their EVE Online account and select the character that your web site will be given access to. If the user is already logged in with an EVE Online account, they will just need to select a character and approve the required scopes.
The SSO will redirect the user back to the provided callback URL with an authorization code and the state as query string parameters.
- code: The Authorization code.
- state: The state parameter that was sent in the original request to the SSO.