OAuth2 Delphi DLL Reference Documentation

OAuth2

Current Version: 10.1.3

The Chilkat OAuth2 class enables desktop applications and scripts to implement the OAuth2 Authorization Code Flow for obtaining an initial access token.

The StartAuth method initiates the flow by generating a URL that should be opened in a browser. Simultaneously, it starts a background thread to listen for the redirect response. The LaunchBrowser method can be used to open the default browser with the generated URL.

The process is completed when the user grants or denies authorization, and the background thread captures the response, passing it to the application's main thread.

Note: This class is only used to obtain the initial OAuth2 access token. After that, the token can be refreshed for an extended period without requiring user interaction.

Create/Dispose

var
myObject: HCkOAuth2;

begin
myObject := CkOAuth2_Create();

// ...

CkOAuth2_Dispose(myObject);
end;
function CkOAuth2_Create: HCkOAuth2; stdcall;

Creates an instance of the HCkOAuth2 object and returns a handle (i.e. a Pointer). The handle is passed in the 1st argument for the functions listed on this page.

procedure CkOAuth2_Dispose(handle: HCkOAuth2); stdcall;

Objects created by calling CkOAuth2_Create must be freed by calling this method. A memory leak occurs if a handle is not disposed by calling this function.

Properties

AccessToken
procedure CkOAuth2_getAccessToken(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putAccessToken(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__accessToken(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

Once the OAuth2 authorization code flow successfully completes in the background thread, this property holds the access_token from the access token response. For example, a Google API access token looks like this:

ya29.a0AfH6SMC2z8Q1Z2X3Y ... 8M9N0O1P2Q3R4S5T6U7V8W9X0Y1Z2

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
AccessTokenResponse
procedure CkOAuth2_getAccessTokenResponse(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
function CkOAuth2__accessTokenResponse(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

Once the OAuth2 authorization code flow successfully completes in the background thread, this property holds the access_token JSON. For instance, a successful X.com access token appears as follows:

{
  "token_type": "bearer",
  "expires_in": 7200,
  "access_token": "AAAAAAAAAAAAAAAAAAAAA...",
  "scope": "tweet.read tweet.write users.read offline.access",
  "refresh_token": "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
}
Explanation of the Fields
FieldDescription
token_typeThe type of token. Typically bearer.
expires_inThe lifetime of the access token in seconds (e.g., 7200 seconds = 2 hours).
access_tokenThe access token string used to authenticate API requests.
scopeThe permissions granted to the access token (e.g., read/write tweets).
refresh_token(Optional) A token used to obtain a new access token when the current one expires. Often only provided if the offline.access scope was requested.

Note: Not all responses are JSON. A successful Facebook response is plain text and looks like this:

access_token=EAAZALuOC1wAwBAKH6FKnxOkjfEP ... UBZBhYD5hSVBETBx6AZD&expires=5134653

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
AppCallbackUrl
procedure CkOAuth2_getAppCallbackUrl(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putAppCallbackUrl(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__appCallbackUrl(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.73

This property should only be set if the OAuth2 provider does not allow localhost or loopback (127.0.0.1) redirect URLs, or requires "https://" redirect URLs.

The AppCallbackUrl is a URL that is an endpoint on your own web server that will act as an Intermediary to redirect back to localhost. For more information, see Using Your Web Server as an Intermediary for OAuth2 Redirect to localhost.

See the notes about PWideChar memory ownership and validity.

top
AuthFlowState
function CkOAuth2_getAuthFlowState(objHandle: HCkOAuth2): Integer; stdcall;
Introduced in version 9.5.0.59

Indicates the current stage of the OAuth2 authorization flow. Possible values:

  • 0: Idle. No OAuth2 flow has been initiated.
  • 1: Awaiting Redirect. The OAuth2 background thread is waiting for the browser's redirect HTTP request.
  • 2: Awaiting Final Response. The OAuth2 background thread is waiting for the final access token response.
  • 3: Success. The OAuth2 flow completed successfully. The background thread has exited, and the JSON response is available in the AccessTokenResponse property.
  • 4: Access Denied. The OAuth2 flow completed, but access was denied. The background thread has exited, and the error JSON is available in the AccessTokenResponse property.
  • 5: Failed. The OAuth2 flow failed before completion. The background thread has exited, and error details are available in the FailureInfo property.

top
AuthorizationEndpoint
procedure CkOAuth2_getAuthorizationEndpoint(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putAuthorizationEndpoint(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__authorizationEndpoint(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

You'll need to know the authorization and token endpoints for your OAuth2 provider. Set this property to the authorization endpoint. Some providers have both sandbox and production endpoints. Here are some sample endpoints:

Platform Authorization Endpoint Token Endpoint
Google https://accounts.google.com/o/oauth2/v2/auth https://www.googleapis.com/oauth2/v4/token
Microsoft https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
X.com https://x.com/i/oauth2/authorize https://api.x.com/2/oauth2/token
Salesforce https://login.salesforce.com/services/oauth2/authorize https://login.salesforce.com/services/oauth2/token
QuickBooks https://appcenter.intuit.com/connect/oauth2 https://oauth.platform.intuit.com/oauth2/v1/tokens/bearer

See the notes about PWideChar memory ownership and validity.

top
ClientId
procedure CkOAuth2_getClientId(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putClientId(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__clientId(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

Should be set to the Client ID assigned to your application when it is registered with an OAuth2 authorization server. It is used to identify the application making the authorization request.

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
ClientSecret
procedure CkOAuth2_getClientSecret(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putClientSecret(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__clientSecret(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

Set this to the client secret assigned to an application when it is registered with an OAuth2 authorization server.

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
CodeChallenge
function CkOAuth2_getCodeChallenge(objHandle: HCkOAuth2): wordbool; stdcall;
procedure CkOAuth2_putCodeChallenge(objHandle: HCkOAuth2; newPropVal: wordbool); stdcall;
Introduced in version 9.5.0.59

Set this to True to enable PKCE (Proof Key for Code Exchange). The default value is False.

top
CodeChallengeMethod
procedure CkOAuth2_getCodeChallengeMethod(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putCodeChallengeMethod(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__codeChallengeMethod(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

This selects the code challenge method for PKCE, and applies only when the CodeChallenge property is set to True. The available options are "plain" and "S256", with "S256" as the default.

See the notes about PWideChar memory ownership and validity.

top
DebugLogFilePath
procedure CkOAuth2_getDebugLogFilePath(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putDebugLogFilePath(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__debugLogFilePath(objHandle: HCkOAuth2): PWideChar; stdcall;

If set to a file path, this property logs the LastErrorText of each Chilkat method or property call to the specified file. This logging helps identify the context and history of Chilkat calls leading up to any crash or hang, aiding in debugging.

Enabling the VerboseLogging property provides more detailed information. This property is mainly used for debugging rare instances where a Chilkat method call causes a hang or crash, which should generally not happen.

Possible causes of hangs include:

  • A timeout property set to 0, indicating an infinite timeout.
  • A hang occurring within an event callback in the application code.
  • An internal bug in the Chilkat code causing the hang.

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
FailureInfo
procedure CkOAuth2_getFailureInfo(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
function CkOAuth2__failureInfo(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

If the OAuth2 authorization fails before completion (AuthFlowState = 5), this property will contain failure details. It is automatically cleared when OAuth2 authorization begins (when StartAuth is called).

See the notes about PWideChar memory ownership and validity.

top
IncludeNonce
function CkOAuth2_getIncludeNonce(objHandle: HCkOAuth2): wordbool; stdcall;
procedure CkOAuth2_putIncludeNonce(objHandle: HCkOAuth2; newPropVal: wordbool); stdcall;
Introduced in version 9.5.0.78

Optional. Set this to True to send a nonce with the authorization request. The length of the nonce is determined by the NonceLength property. The default value is False.

In OAuth, the nonce is a unique, random value included in the authorization request to prevent Replay Attacks:

  • The nonce ensures that an authorization request cannot be reused by an attacker.
  • It binds the authorization request to a specific instance, preventing malicious reuse.

More Information and Examples
top
LastErrorHtml
procedure CkOAuth2_getLastErrorHtml(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
function CkOAuth2__lastErrorHtml(objHandle: HCkOAuth2): PWideChar; stdcall;

Provides HTML-formatted information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.

See the notes about PWideChar memory ownership and validity.

top
LastErrorText
procedure CkOAuth2_getLastErrorText(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
function CkOAuth2__lastErrorText(objHandle: HCkOAuth2): PWideChar; stdcall;

Provides plain text information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.

See the notes about PWideChar memory ownership and validity.

top
LastErrorXml
procedure CkOAuth2_getLastErrorXml(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
function CkOAuth2__lastErrorXml(objHandle: HCkOAuth2): PWideChar; stdcall;

Provides XML-formatted information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.

See the notes about PWideChar memory ownership and validity.

top
LastMethodSuccess
function CkOAuth2_getLastMethodSuccess(objHandle: HCkOAuth2): wordbool; stdcall;
procedure CkOAuth2_putLastMethodSuccess(objHandle: HCkOAuth2; newPropVal: wordbool); stdcall;

Indicates the success or failure of the most recent method call: True means success, False means failure. This property remains unchanged by property setters or getters. This method is present to address challenges in checking for null or Nothing returns in certain programming languages.

top
ListenPort
function CkOAuth2_getListenPort(objHandle: HCkOAuth2): Integer; stdcall;
procedure CkOAuth2_putListenPort(objHandle: HCkOAuth2; newPropVal: Integer); stdcall;
Introduced in version 9.5.0.59

Set this to the port number to be used for receiving the redirect request from the local browser. Use a port in the range 1024 to 65535 to avoid conflicts with reserved system ports. Avoid well-known ports like 80, 443, 22, etc., as they are used by system services.

Note: The chosen port number determines the redirect URL defined for your app in the OAuth2 provider's developer portal. For example, if port 3017 is chosen, then your redirect URL should be http://localhost:3017/.

Note:

  • You must use http:, not https:. Because the browser and your application are running on the same machine, the redirect request is handled entirely within the operating system. It never leaves the machine, so it cannot be intercepted on the network.
  • The / terminating the redirect URL is critical and must be included. Do not omit it, otherwise the OAuth2 authorization will fail.
  • If the LocalHost property (see below) is set to 127.0.0.1, then the redirect URL defined for your App in the OAuth2 provider's developer portal should use 127.0.0.1 instead of localhost. For example: http://127.0.0.1:3017/

top
ListenPortRangeEnd
function CkOAuth2_getListenPortRangeEnd(objHandle: HCkOAuth2): Integer; stdcall;
procedure CkOAuth2_putListenPortRangeEnd(objHandle: HCkOAuth2; newPropVal: Integer); stdcall;
Introduced in version 9.5.0.69

This property allows for a range of listen port numbers to be used. If set to a non-zero value, then Chilkat will use an unused port in the range from ListenPort to ListenPortRangeEnd.

For example, if ListenPort=55110 and ListenPortRangeEnd=55117, then define the following redirect URL's for your app in the OAuth2 provider's developer portal:

  • http://localhost:55110/
  • http://localhost:55112/
  • http://localhost:55113/
  • http://localhost:55114/
  • http://localhost:55115/
  • http://localhost:55116/
  • http://localhost:55117/

top
ListenPortSelected
function CkOAuth2_getListenPortSelected(objHandle: HCkOAuth2): Integer; stdcall;
Introduced in version 9.5.0.94

This is a read-only property that gets set when the OAuth2 authorization flow completes. It contains the port number that was used when receiving the redirect callback.

top
LocalHost
procedure CkOAuth2_getLocalHost(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putLocalHost(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__localHost(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

Chooses between http://localhost:{portNumber}/ or http://127.0.0.1:{portNumber}/ to be used for the redirect (callback) URL. The default value is localhost. An application can change this property to 127.0.0.1 if desired. See the X.com example linked below, which uses http://127.0.0.1:3017/.

See the notes about PWideChar memory ownership and validity.

top
NonceLength
function CkOAuth2_getNonceLength(objHandle: HCkOAuth2): Integer; stdcall;
procedure CkOAuth2_putNonceLength(objHandle: HCkOAuth2; newPropVal: Integer); stdcall;
Introduced in version 9.5.0.80

The nonce length, measured in bytes, is defined here. A nonce is included only when the IncludeNonce property is set to True. Since the nonce is a hexadecimal string, its character length is double its byte length. By default, the nonce is 4 bytes long.

top
Oob
function CkOAuth2_getOob(objHandle: HCkOAuth2): wordbool; stdcall;
procedure CkOAuth2_putOob(objHandle: HCkOAuth2; newPropVal: wordbool); stdcall;
Introduced in version 10.0.2

Set to True if the redirect URI is to be set to urn:ietf:wg:oauth:2.0:oob and the authorization code will be supplied manually and passed to ExchangeCodeForToken. The default value is False.

This is for the Out-of-Band) flow, which is a legacy flow where the authorization code is delivered to the client application through an out-of-band mechanism, such as manually copying and pasting the code, rather than being automatically redirected via a "redirect_uri". This flow was historically used for applications that couldn't securely handle redirects, such as native or mobile apps, but it has largely been deprecated in favor of more secure flows like PKCE (Proof Key for Code Exchange).

More Information and Examples
top
RedirectAllowHtml
procedure CkOAuth2_getRedirectAllowHtml(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putRedirectAllowHtml(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__redirectAllowHtml(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

This property holds the HTML displayed in the browser when the end-user grants access. By default, it includes a META refresh directing to https://www.chilkatsoft.com/oauth2_allowed.html. Your application can modify this HTML to show any content when access is granted. You might want to change the refresh URL to a page on your company’s website or use simple HTML to display custom information without redirection.

The default value of this property is:

<html>
  <head><meta http-equiv='refresh' content='0;url=https://www.chilkatsoft.com/oauth2_allowed.html'></head>
  <body>Thank you for allowing access.</body>
</html>

See the notes about PWideChar memory ownership and validity.

top
RedirectDenyHtml
procedure CkOAuth2_getRedirectDenyHtml(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putRedirectDenyHtml(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__redirectDenyHtml(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

This property holds the HTML displayed in the browser when the end-user denies access. By default, it includes a META refresh directing to https://www.chilkatsoft.com/oauth2_denied.html. Your application can modify this HTML to show any content when access is granted. You might want to change the refresh URL to a page on your company’s website or use simple HTML to display custom information without redirection.

The default value of this property is:

<html>
  <head><meta http-equiv='refresh' content='0;url=https://www.chilkatsoft.com/oauth2_denied.html'></head>
  <body>The app will not have access.</body>
  </html>

See the notes about PWideChar memory ownership and validity.

top
RedirectReqReceived
procedure CkOAuth2_getRedirectReqReceived(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
function CkOAuth2__redirectReqReceived(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.92

Contains the HTTP redirect request received from the local web browser. This is used for debugging.

Here is a sample:

GET /?state=lW6hdb-jSR2ntNCZ9NMzVozWaxuSpkaSLs8SZCDZsjI&code=NU1nbUN ...... FjOjE HTTP/1.1
Host: 127.0.0.1:3017
Connection: keep-alive
sec-ch-ua: "Not(A:Brand";v="99", "Microsoft Edge";v="133", "Chromium";v="133"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9

See the notes about PWideChar memory ownership and validity.

top
RefreshToken
procedure CkOAuth2_getRefreshToken(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putRefreshToken(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__refreshToken(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

Once the OAuth2 authorization code flow successfully completes in the background thread, this property holds the refresh_token from the access token response. For example, an X.com refresh token looks like this:

NmJjUC1aX2VDZnFzaE5ObFp ..... OjE3NDAxNzM0MTcyNjI6MTowOnJ0OjE

See the notes about PWideChar memory ownership and validity.

top
Resource
procedure CkOAuth2_getResource(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putResource(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__resource(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.67

This optional setting specifies the resource query parameter. For instance, set it to https://graph.microsoft.com/ for Microsoft Graph API calls. It is also needed for Microsoft Dynamics CRM OAuth authentication.

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
ResponseMode
procedure CkOAuth2_getResponseMode(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putResponseMode(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__responseMode(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.78

Can be set to form_post to include a response_mode=form_post in the authorization request. The default value is the empty string to omit the response_mode query param.

See the notes about PWideChar memory ownership and validity.

top
ResponseType
procedure CkOAuth2_getResponseType(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putResponseType(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__responseType(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.78

The default value is code. Can be set to id_token+code for cases where response_type=id_token+code is required in the authorization request.

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
Scope
procedure CkOAuth2_getScope(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putScope(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__scope(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

In OAuth2, scopes are permissions that specify what access level the client application is requesting for a user's resources. Scopes are included in the authorization request to ask for specific permissions. The user reviews and consents to these scopes before authorization.

Scopes are typically formatted with a SPACE char separating each requested scope. Here's an example for Google Drive:

openid email profile https://www.googleapis.com/auth/drive.readonly
  • "openid": Access to basic profile information.
  • "email": Access to the user’s email address.
  • "profile": Access to the user's profile information.
  • "drive.readonly": Read-only access to Google Drive files.

See the notes about PWideChar memory ownership and validity.

top
StateParam
procedure CkOAuth2_getStateParam(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putStateParam(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__stateParam(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.94

Allows the application to explicitly set the state parameter to a value. Typically this property should remain unset, and Chilkat will automatically generate a random state. (The generated random state is not reflected in this property. In other words, you can't get the random state that was generated by reading this property.)

Note: The special string "{listenPort}" can be included in the value of this property. Chilkat will replace "{listenPort}" with the actual listen port used. This can be useful if your application is listening on range of ports and you want the state param to include the chosen port.

See the notes about PWideChar memory ownership and validity.

top
TokenEndpoint
procedure CkOAuth2_getTokenEndpoint(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putTokenEndpoint(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__tokenEndpoint(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

You'll need to know the authorization and token endpoints for your OAuth2 provider. Set this property to the token endpoint. Some providers have both sandbox and production endpoints. Here are some sample endpoints:

Platform Authorization Endpoint Token Endpoint
Google https://accounts.google.com/o/oauth2/v2/auth https://www.googleapis.com/oauth2/v4/token
Microsoft https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
X.com https://x.com/i/oauth2/authorize https://api.x.com/2/oauth2/token
Salesforce https://login.salesforce.com/services/oauth2/authorize https://login.salesforce.com/services/oauth2/token
QuickBooks https://appcenter.intuit.com/connect/oauth2 https://oauth.platform.intuit.com/oauth2/v1/tokens/bearer

See the notes about PWideChar memory ownership and validity.

top
TokenType
procedure CkOAuth2_getTokenType(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putTokenType(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__tokenType(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

Once the OAuth2 authorization code flow successfully completes in the background thread, this property holds the token_type from the AccessTokenResponse.

See the notes about PWideChar memory ownership and validity.

top
UncommonOptions
procedure CkOAuth2_getUncommonOptions(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
procedure CkOAuth2_putUncommonOptions(objHandle: HCkOAuth2; newPropVal: PWideChar); stdcall;
function CkOAuth2__uncommonOptions(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.85

This is a catch-all property to be used for uncommon needs. This property defaults to the empty string, and should typically remain empty.

Can be set to a list of the following comma separated keywords:

  • NO_OAUTH2_SCOPE - Do not includethe "scope" parameter when exchanging the authorization code for an access token.
  • ExchangeCodeForTokenUsingJson - Introduced in v9.5.0.98. Use an HTTP POST with JSON request body for the final exchange-code-for-token HTTP request in the authorization code flow.
  • RefreshTokenUsingJson - Introduced in v9.5.0.98. Use an HTTP POST with JSON request body for the token refresh HTTP request.

See the notes about PWideChar memory ownership and validity.

top
UseBasicAuth
function CkOAuth2_getUseBasicAuth(objHandle: HCkOAuth2): wordbool; stdcall;
procedure CkOAuth2_putUseBasicAuth(objHandle: HCkOAuth2; newPropVal: wordbool); stdcall;
Introduced in version 9.5.0.73

When set to True, the internal POST request that exchanges the code for an access token will include the client_id/client_secret in an Authorization Basic ... header, using the client_id as the login and the client_secret as the password. By default, this setting is False, meaning the client_id/client_secret are sent as query parameters.

More Information and Examples
top
VerboseLogging
function CkOAuth2_getVerboseLogging(objHandle: HCkOAuth2): wordbool; stdcall;
procedure CkOAuth2_putVerboseLogging(objHandle: HCkOAuth2; newPropVal: wordbool); stdcall;

If set to True, then the contents of LastErrorText (or LastErrorXml, or LastErrorHtml) may contain more verbose information. The default value is False. Verbose logging should only be used for debugging. The potentially large quantity of logged information may adversely affect peformance.

top
Version
procedure CkOAuth2_getVersion(objHandle: HCkOAuth2; outPropVal: HCkString); stdcall;
function CkOAuth2__version(objHandle: HCkOAuth2): PWideChar; stdcall;

Version of the component/library, such as "10.1.0"

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top

Methods

AddAuthQueryParam
function CkOAuth2_AddAuthQueryParam(objHandle: HCkOAuth2;
    name: PWideChar;
    value: PWideChar): wordbool; stdcall;
Introduced in version 9.5.0.85

Adds a custom query parameter (name=value) to the URL returned by the StartAuth method. This accommodates OAuth installations requiring custom query parameters. You can call this method multiple times, adding one query parameter per call.

Returns True for success, False for failure.

top
AddRefreshQueryParam
function CkOAuth2_AddRefreshQueryParam(objHandle: HCkOAuth2;
    name: PWideChar;
    value: PWideChar): wordbool; stdcall;
Introduced in version 9.5.0.97

Adds a query parameter (name=value) to the HTTP request sent by the RefreshAccessToken method. You can call this method multiple times to add more query parameters.

Returns True for success, False for failure.

top
AddTokenQueryParam
function CkOAuth2_AddTokenQueryParam(objHandle: HCkOAuth2;
    name: PWideChar;
    value: PWideChar): wordbool; stdcall;
Introduced in version 9.5.0.85

Adds a custom query parameter (name=value) to the internal request used to exchange the authorization code for a token, accommodating OAuth setups that require non-standard parameters. This method can be called multiple times to add multiple query parameters.

Returns True for success, False for failure.

top
Cancel
function CkOAuth2_Cancel(objHandle: HCkOAuth2): wordbool; stdcall;
Introduced in version 9.5.0.59

Stops an ongoing OAuth2 authorization flow.

Returns True for success, False for failure.

top
ExchangeCodeForToken
function CkOAuth2_ExchangeCodeForToken(objHandle: HCkOAuth2;
    code: PWideChar): wordbool; stdcall;
Introduced in version 10.0.2

This method is specifically for the OOB (Out-of-Band) authorization flow, where you manually obtain and pass the authorization code to complete the OAuth2 process.

Returns True for success, False for failure.

More Information and Examples
top
ExchangeCodeForTokenAsync (1)
function CkOAuth2_ExchangeCodeForTokenAsync(objHandle: HCkOAuth2;
    code: PWideChar): HCkTask; stdcall;
Introduced in version 10.0.2

Creates an asynchronous task to call the ExchangeCodeForToken method with the arguments provided.

Note: Async method event callbacks happen in the background thread. Accessing and updating UI elements existing in the main thread may require special considerations.

Returns nil on failure

top
GetAccessTokenResponseSb
function CkOAuth2_GetAccessTokenResponseSb(objHandle: HCkOAuth2;
    sb: HCkStringBuilder): wordbool; stdcall;
Introduced in version 10.1.0

Same as the AccessTokenResponse property, but returns the JSON in the sb.

Returns True for success, False for failure.

top
GetRedirectRequestParam
function CkOAuth2_GetRedirectRequestParam(objHandle: HCkOAuth2;
    paramName: PWideChar;
    outStr: HCkString): wordbool; stdcall;
function CkOAuth2__getRedirectRequestParam(objHandle: HCkOAuth2;
    paramName: PWideChar): PWideChar; stdcall;
Introduced in version 9.5.0.69

Some OAuth2 providers can provide additional parameters in the redirect request sent to the local listener (i.e. the Chilkat background thread). One such case is for QuickBooks, It contains a realmId parameter such as the following:

http://localhost:55568/?state=xxxxxxxxxxxx&code=xxxxxxxxxxxx&realmId=1234567890

After the OAuth2 authentication is completed, an application can call this method to get any of the parameter values. For example, to get the realmId value, pass "realmId" in paramName.

See the code snippet at the very bottom of the example linked below.

Returns True for success, False for failure.

See the notes about PWideChar memory ownership and validity.

More Information and Examples
top
LaunchBrowser
function CkOAuth2_LaunchBrowser(objHandle: HCkOAuth2;
    url: PWideChar): wordbool; stdcall;
Introduced in version 10.0.2

Launches the default browser and navigated to url. If a browser window is already open, the page will be displayed in a new tab. This works on Windows, MacOS, and Linux.

Returns True for success, False for failure.

top
LoadTaskCaller
function CkOAuth2_LoadTaskCaller(objHandle: HCkOAuth2;
    task: HCkTask): wordbool; stdcall;
Introduced in version 9.5.0.80

Loads the caller of the task's async method.

Returns True for success, False for failure.

top
Monitor
function CkOAuth2_Monitor(objHandle: HCkOAuth2): wordbool; stdcall;
Introduced in version 9.5.0.59
This method is deprecated. It will be removed in a future version.

This deprecated method observes an ongoing OAuth2 authorization flow and returns when it completes. It will be removed in a future major release. Instead of using this method, regularly check if the AuthFlowState property is greater than or equal to 3. If there's no browser response, cancel the waiting background thread by calling the Cancel method.

Returns True for success, False for failure.

top
MonitorAsync (1)
function CkOAuth2_MonitorAsync(objHandle: HCkOAuth2): HCkTask; stdcall;
Introduced in version 9.5.0.59
This method is deprecated. It will be removed in a future version.

Creates an asynchronous task to call the Monitor method with the arguments provided.

Note: Async method event callbacks happen in the background thread. Accessing and updating UI elements existing in the main thread may require special considerations.

Returns nil on failure

top
RefreshAccessToken
function CkOAuth2_RefreshAccessToken(objHandle: HCkOAuth2): wordbool; stdcall;
Introduced in version 9.5.0.59

To obtain a new access token, this method sends a refresh token request to the token endpoint. Upon success, it updates the AccessToken and RefreshToken properties with new values. Note: This method requires valid values for the ClientId, ClientSecret, RefreshToken, and TokenEndpoint properties.

For a deeper understanding, see OAuth2 Refresh Token Request Explained

Returns True for success, False for failure.

top
RefreshAccessTokenAsync (1)
function CkOAuth2_RefreshAccessTokenAsync(objHandle: HCkOAuth2): HCkTask; stdcall;
Introduced in version 9.5.0.59

Creates an asynchronous task to call the RefreshAccessToken method with the arguments provided.

Note: Async method event callbacks happen in the background thread. Accessing and updating UI elements existing in the main thread may require special considerations.

Returns nil on failure

top
SetRefreshHeader
function CkOAuth2_SetRefreshHeader(objHandle: HCkOAuth2;
    name: PWideChar;
    value: PWideChar): wordbool; stdcall;
Introduced in version 9.5.0.77

Allows you to add HTTP request headers to the HTTP request sent by the RefreshAccessToken method. For instance, to include the "Accept: application/json" header, use this method with name as "Accept" and value as "application/json". To add multiple headers, call this method separately for each header. To remove a header, set name to the header name and value to an empty string.

Returns True for success, False for failure.

More Information and Examples
top
SleepMs
procedure CkOAuth2_SleepMs(objHandle: HCkOAuth2;
    millisec: Integer) stdcall;
Introduced in version 9.5.0.59

Convenience method to force the calling thread to sleep for a number of milliseconds.

top
StartAuth
function CkOAuth2_StartAuth(objHandle: HCkOAuth2;
    outStr: HCkString): wordbool; stdcall;
function CkOAuth2__startAuth(objHandle: HCkOAuth2): PWideChar; stdcall;
Introduced in version 9.5.0.59

This method initiates the OAuth2 authorization code flow. Set the following properties before calling this method: ClientId, ClientSecret, ListenPort, Scope, AuthorizationEndpoint, and TokenEndpoint. Note that ClientSecret may not be required if the OAuth2 provider supports Proof Key for Code Exchange (PKCE). This method performs two actions:

  1. It generates and returns a URL to be opened in a browser.
  2. It launches a background thread that listens on the specified ListenPort for the browser's redirect request. The entire process of handling this request and completing the OAuth2 authorization flow is managed in the background thread within Chilkat.

The method's return value is the URL to open in a browser.

Returns True for success, False for failure.

See the notes about PWideChar memory ownership and validity.

top
UseConnection
function CkOAuth2_UseConnection(objHandle: HCkOAuth2;
    sock: HCkSocket): wordbool; stdcall;
Introduced in version 9.5.0.59

Calling this method is optional and only necessary if you need to use a proxy (HTTP or SOCKS), an SSH tunnel, or specific socket options for the connection. If you do not use this method, the connection to the token endpoint will be a direct one using TLS. The method assigns the socket object for sending requests to the token endpoint in the background thread. You can pass either a connected or unconnected socket as sock. For SSH tunnels, sock must already be connected, whereas for setting options like HTTP or SOCKS proxies, an unconnected sock is sufficient.

Returns True for success, False for failure.

top

Events

AbortCheck
function MyAbortCheck(): Integer; cdecl;
Introduced in version 9.5.0.82

Provides the opportunity for a method call to be aborted. The AbortCheck event is fired periodically based on the value of the HeartbeatMs property. If HeartbeatMs is 0, then no AbortCheck events will fire. As an example, to fire 5 AbortCheck events per second, set the HeartbeatMs property equal to 200. Return True to abort; return False to continue (not abort)

More Information and Examples
top
PercentDone
function MyPercentDone(pctDone: Integer): Integer; cdecl;
Introduced in version 9.5.0.82

Provides the percentage completed for any method that involves network communications or time-consuming processing (assuming it is a method where a percentage completion can be measured). This event is only fired when it is possible to know a percentage completion, and when it makes sense to express the operation as a percentage completed. The pctDone argument will have a value from 1 to 100. For operations (Chilkat method calls) that complete very quickly, the number of PercentDone callbacks will vary, but the final callback should have a value of 100. For long running operations, no more than one callback per percentage point will occur (for example: 1, 2, 3, ... 98, 99, 100).

The PercentDone callback counts as an AbortCheck event. For method calls that complete quickly such that PercentDone events fire, it may be that AbortCheck events don't fire because the opportunity to abort is already provided in the PercentDone callback. For time consuming operations, where the amount of time between PercentDone callbacks are long, AbortCheck callbacks may be used to allow for the operation to be aborted in a more responsive manner.

Return True to abort; return False to continue (not abort)

More Information and Examples
top
ProgressInfo
procedure MyProgressInfo(name: PWideChar; value: PWideChar) cdecl;
Introduced in version 9.5.0.82

A general name/value event that provides information about what is happening during a method call. To find out what information is available, write code to handle this event and log the name/value pairs. Most are self-explanatory.

More Information and Examples
top
TaskCompleted
procedure MyTaskCompleted(task: HCkTask) cdecl;
Introduced in version 9.5.0.82

Called in the background thread when an asynchronous task completes.

top