The following will give a rough overview of how to setup OAuth 2.0 with Shortcuts. There are basically three components to be setup which are detailed further under the relevant headings:
Foursquare - Registering your “app” with Foursquare to obtain a Client ID and a Client Secret.
Server - Configuring your own server to redirect from a web URL to the Shortcuts app.
Shortcut - Setup your Shortcut to perform the authentication.
Foursquare
You will first need to create an Application with Foursquare to get your Client ID and Client Secret. Detailed information is available on the Foursquare Developer Website, but in simple terms you need to:
Select Disable pushes to this app for Push API Notifications.
Once you have created your app you will be given a Client ID and Client Secret which you can put in your Shortcut.
If you want further information about how the OAuth authentication works with Foursquare, refer to the Foursquare - Authentication Docs.
Server
The following file needs to be created on a server that supports PHP. Most servers support PHP by default or should have instructions for setting it up.
Line 1: Get the shortcut parameter from the URL (In my example my shortcut name is called Bumblebee). If there is no shortcut parameter provided default to the shortcut name OAuth 2.0.
Line 2: Get the code parameter from the URL. This code is passed by Foursquare API when it has Authenticated you.
Line 4: Set the Location header to the Shortcut’s URL scheme. This basically causes a redirect back to your Shortcut. In my example this would redirect to shortcuts://run-shortcut?name=Bumblebee&input=text&text={Code Returned From Foursquare API}
Line 5: Stop anything else from happening.
This will be called by the Foursquare API when returning the OAuth 2.0 token. In my example the URL https://swarm.frenchesco.com/redirect.php?shortcut=Bumblebee is passed as the redirect_uri in the access request (See Shortcut section below)
Just wanted to note a typo that might help others that held me up.
In the PHP script, “shortcut://run” should be “shortcuts://run”.
This has been helpful as I attempt to make a Yahoo Fantasy sports shortcut connecting to Yahoo’s oauth.
Thanks. Sorry about the typo. I originally was using workflow://run-workflow but updated it for Shortcuts to be more relevant going forward, but I should have tested it as I made that typo. I have updated the original post with the correct URL scheme for other people coming here.
I’m not too sure what you’re trying to achieve by using application/x-www-form-urlencoded. I don’t think it would offer any additional security. Your best option at this stage is probably to just store the Client ID and Client Secret in a file stored in iCloud and make sure that the API you are calling is using HTTPS.
If you’re only worried about people seeing your Client ID and Secret when you have the shortcut open then you could base 64 encode it and then base 64 decode it when you need to use it, but it wouldn’t provide any extra security.
Thanks Marc! I am using shortcuts with Oauth to integrate with Mailchimp allowing a user of the shortcut to get access with their username and password, authenticating with that rather than creating an api key, and I was able to set up the php server redirect, but I am stuck on making an “out of band” POST request in Curl with the auth code to then obtain the auth token. Any ideas about resources for whether this part (using MC rather than foursquare)
should be either server side (with which I have much less experience but may be necessary in order to include client secret) or as a RESTful request in shortcuts would be great. Thanks!
You need to specify the url to your PHP file as the redirect_uri parameter. In Shortcuts you need to replicate that curl request with a Get Contents of URL action with method POST, and (I think) Request Body as Form and each of those parameters (grant_type, client_id, client_secret, redirect_uri, code) as fields.
After authenticating with Mailchimp, Mailchimp will redirect to your redirect_uri (Your PHP code) which in turn will translate that return URL to a url scheme to launch your shortcut again with the response as the shortcut input. Your shortcut will need to be able to process that shortcut input and store that response to iCloud for example so you don’t have to authenticate each time you run your shortcut. On subsequent runs of your Shortcut you read the response that you stored in iCloud first and only authenticate if you don’t have a response already stored.
Refer to my Bumblebee Shortcut as an example as it has a pretty similar authentication flow.