Is it possible to use OAuth 2.0 without a redirect server?

Question

I\'m trying to create a local Java-based client that interacts with the SurveyMonkey API.

SurveyMonkey requires a long-lived access token using OAuth 2.0, which I\'m

Answer 1

Not exactly, the whole point of the OAuth flow is that the user (the client you're accessing the data on behalf of) needs to give you permission to access their data.

See the authentication instructions. You need to send the user to the OAuth authorize page:

https://api.surveymonkey.net/oauth/authorize?api_key&client_id=&response_type=code&redirect_uri=

This will show a page to the user telling them which parts of their account you are requesting access to (ex. see their surveys, see their responses, etc). Once the user approves that by clicking "Authorize" on that page, SurveyMonkey will automatically go to whatever you set as your redirect URI (make sure the one from the url above matches with what you set in the settings for your app) with the code.

So if your redirect URL was https://example.com/surveymonkey/oauth, SurveyMonkey will redirect the user to that URL with a code:

https://example.com/surveymonkey/oauth?code=

You need to take that code and then exchange it for an access token by doing a POST request to https://api.surveymonkey.net/oauth/token?api_key= with the following post params:

client_secret=
code=
redirect_uri=
grant_type=authorization_code

This will return an access token, you can then use that access token to access data on the user's account. You don't give the access token to the user it's for you to use to access the user's account. No need for polling or anything.

If you're just accessing your own account, you can use the access token provided in the settings page of your app. Otherwise there's no way to get an access token for a user without setting up your own redirect server (unless all the users are in the same group as you, i.e. multiple users under the same account; but I won't get into that). SurveyMonkey needs a place to send you the code once the user authorizes, you can't just request one.