OAuth Integration

Byg sikre integrationer med Shoporama API ved hjælp af OAuth 2.0

Hvad er OAuth?

OAuth gør det muligt for eksterne applikationer at få sikker adgang til Shoporama API'et på vegne af dine brugere, uden at de skal dele deres login-oplysninger.

Safe and secure

Ingen deling af passwords. Brugerne logger ind direkte hos Shoporama

Nem integration

Standard OAuth 2.0 flow som du kender fra andre tjenester

Fleksibel

Vælg præcist hvilke rettigheder din app skal have

OAuth Flow - Trin for trin

1

Send bruger til Shoporama

Your app sends the user to Shoporama's OAuth endpoint

https://www.shoporama.dk/admin/oauth/login?
  client_id=Din_App_Navn
  redirect_uri=https://example.com/callback
  state=unik_session_id

2

User logs in

The user logs in with their Shoporama credentials and selects:

Which shop to give access to
Access level (read, write or full access)

3

Receive API token

After authentication, the user is sent back to your app with the token:

https://example.com/callback?
  token=6b3dd0624ca600c5bbbb...
  shop_url=demo.shoporama.dk
  shop_name=Demo Shop
  api_endpoint=https://www.shoporama.dk/REST
  webshop_id=1
  access_level=all
  state=unik_session_id

4

Use the API

Use the token to call the Shoporama API:

curl -H "Authorization: 6b3dd0624ca600c5bbbb..." \
     https://www.shoporama.dk/REST/product

Klar til at komme i gang?

Start by testing the OAuth flow or read more about the API

Test OAuth Flow Read API Documentation

Komplette Implementeringseksempler

Fuld OAuth flow implementation - klar til copy/paste

Vanilla PHP Implementation

Ren PHP uden frameworks - en enkelt fil der håndterer hele OAuth flowet

<?php
// oauth.php - Gem denne fil på din server
session_start();

// Konfiguration - RET DISSE VÆRDIER
$CLIENT_ID = "Dit App Navn";
$REDIRECT_URI = "https://din-side.dk/oauth.php";
$OAUTH_URL = "https://www.shoporama.dk/admin/oauth/login";

// Start OAuth
if (isset($_GET["login"])) {
    $_SESSION["state"] = bin2hex(random_bytes(16));
    $url = $OAUTH_URL . "?" . http_build_query([
        "client_id" => $CLIENT_ID,
        "redirect_uri" => $REDIRECT_URI,
        "state" => $_SESSION["state"]
    ]);
    header("Location: $url");
    exit;
}

// Modtag token
if (isset($_GET["token"]) && $_GET["state"] === $_SESSION["state"]) {
    $_SESSION["token"] = $_GET["token"];
    $_SESSION["api_url"] = $_GET["api_endpoint"];
    echo "Success! Token gemt.";
    echo "
Test API";
    exit;
}

// Test API
if (isset($_GET["test"]) && isset($_SESSION["token"])) {
    $ch = curl_init($_SESSION["api_url"] . "/product?limit=1");
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["Authorization: " . $_SESSION["token"]]);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $result = curl_exec($ch);
    echo "" . htmlspecialchars($result) . "";
    exit;
}

// Start side
echo "Login med Shoporama";
?>

Sådan bruger du det:

Kopier koden til en fil kaldet oauth.php
Ret $CLIENT_ID og $REDIRECT_URI
Upload filen til din server
Besøg siden og klik "Login med Shoporama"

Laravel Implementation

OAuth implementation med Laravel framework - professionel og skalerbar løsning

<?php
// routes/web.php
use App\Http\Controllers\OAuthController;

Route::get("/oauth/start", [OAuthController::class, "start"])->name("oauth.start");
Route::get("/oauth/callback", [OAuthController::class, "callback"])->name("oauth.callback");
Route::get("/api/products", [OAuthController::class, "getProducts"])->middleware("auth.oauth");

// app/Http/Controllers/OAuthController.php
namespace App\Http\Controllers;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Http;
use Illuminate\Support\Str;

class OAuthController extends Controller
{
    private $config;
    
    public function __construct()
    {
        $this->config = [
            "client_id" => config("services.shoporama.client_id", "Min Laravel App"),
            "redirect_uri" => route("oauth.callback"),
            "oauth_endpoint" => "https://www.shoporama.dk/admin/oauth/login"
        ];
    }
    
    public function start(Request $request)
    {
        // Generer state for CSRF beskyttelse
        $state = Str::random(40);
        $request->session()->put("oauth_state", $state);
        
        // Byg OAuth URL
        $params = [
            "client_id" => $this->config["client_id"],
            "redirect_uri" => $this->config["redirect_uri"],
            "state" => $state
        ];
        
        $authUrl = $this->config["oauth_endpoint"] . "?" . http_build_query($params);
        
        return redirect($authUrl);
    }
    
    public function callback(Request $request)
    {
        // Håndter fejl
        if ($request->has("error")) {
            return redirect()->route("login")->with("error", 
                "OAuth fejl: " . $request->get("error_description", "Ukendt fejl")
            );
        }
        
        // Verificer state
        if ($request->get("state") !== $request->session()->get("oauth_state")) {
            return redirect()->route("login")->with("error", "Ugyldig state parameter");
        }
        
        // Gem token data
        $tokenData = [
            "token" => $request->get("token"),
            "shop_url" => $request->get("shop_url"),
            "shop_name" => $request->get("shop_name"),
            "api_endpoint" => $request->get("api_endpoint"),
            "webshop_id" => $request->get("webshop_id"),
            "access_level" => $request->get("access_level"),
            "granted_at" => now()
        ];
        
        // Gem i database
        auth()->user()->update([
            "shoporama_token" => encrypt(json_encode($tokenData))
        ]);
        
        // Ryd state
        $request->session()->forget("oauth_state");
        
        return redirect()->route("dashboard")->with("success", 
            "Forbundet til " . $tokenData["shop_name"]
        );
    }
    
    public function getProducts(Request $request)
    {
        $user = auth()->user();
        
        if (!$user->shoporama_token) {
            return response()->json(["error" => "Not authenticated"], 401);
        }
        
        $tokenData = json_decode(decrypt($user->shoporama_token), true);
        
        $response = Http::withHeaders([
            "Authorization" => $tokenData["token"],
            "Accept" => "application/json"
        ])->get($tokenData["api_endpoint"] . "/product", [
            "limit" => 10
        ]);
        
        if ($response->successful()) {
            return response()->json($response->json());
        }
        
        return response()->json(["error" => "API request failed"], $response->status());
    }
}
?>

Laravel Features:

Bruger Laravel's built-in session og encryption
Tokens gemmes krypteret i databasen
Middleware for at beskytte routes
Konfiguration via .env fil
HTTP client med fejlhåndtering

Frontend JavaScript Implementation

En komplet HTML side med JavaScript OAuth flow - ingen server kode nødvendig

<!DOCTYPE html>
<html>
<head>
    <title>Shoporama OAuth Demo</title>
</head>
<body>
    <div id="app">
        <button onclick="startOAuth()">Login med Shoporama</button>
        <div id="result"></div>
    </div>

    <script>
    // Konfiguration - RET DISSE
    const CLIENT_ID = "Dit App Navn";
    const REDIRECT_URI = window.location.origin + window.location.pathname;
    const OAUTH_URL = "https://www.shoporama.dk/admin/oauth/login";
    
    // Start OAuth
    function startOAuth() {
        const state = Math.random().toString(36).substring(7);
        sessionStorage.setItem("oauth_state", state);
        
        const params = new URLSearchParams({
            client_id: CLIENT_ID,
            redirect_uri: REDIRECT_URI,
            state: state
        });
        
        window.location.href = `${OAUTH_URL}?${params}`;
    }
    
    // Check for OAuth callback
    const urlParams = new URLSearchParams(window.location.search);
    if (urlParams.get("token")) {
        const state = urlParams.get("state");
        const savedState = sessionStorage.getItem("oauth_state");
        
        if (state === savedState) {
            // Gem token data
            const tokenData = {
                token: urlParams.get("token"),
                api_endpoint: urlParams.get("api_endpoint"),
                shop_name: urlParams.get("shop_name")
            };
            
            localStorage.setItem("shoporama_oauth", JSON.stringify(tokenData));
            sessionStorage.removeItem("oauth_state");
            
            // Vis success
            document.getElementById("result").innerHTML = `
                <h2>Success!</h2>
                <p>Logget ind på: ${tokenData.shop_name}</p>
                <button onclick="testAPI()">Test API</button>
            `;
            
            // Ryd URL
            window.history.replaceState({}, document.title, window.location.pathname);
        }
    }
    
    // Test API
    async function testAPI() {
        const data = JSON.parse(localStorage.getItem("shoporama_oauth"));
        if (!data) return alert("Ikke logget ind");
        
        try {
            const response = await fetch(data.api_endpoint + "/product?limit=1", {
                headers: { "Authorization": data.token }
            });
            const products = await response.json();
            document.getElementById("result").innerHTML += 
                "<pre>" + JSON.stringify(products, null, 2) + "</pre>";
        } catch (error) {
            alert("API fejl: " + error.message);
        }
    }
    </script>
</body>
</html>

Bemærk om CORS:

Frontend JavaScript kan opleve CORS problemer ved API kald. For produktion anbefales en backend proxy eller officielle CORS headers fra Shoporama.

Node.js/Express Implementation

Server-side JavaScript implementation med Express.js

const express = require('express');
const session = require('express-session');
const crypto = require('crypto');
const app = express();

// Session setup
app.use(session({
    secret: 'your-secret-key',
    resave: false,
    saveUninitialized: true
}));

// OAuth konfiguration
const OAUTH_CONFIG = {
    client_id: 'Min Shoporama App',
    redirect_uri: 'https://example.com/oauth/callback',
    oauth_endpoint: 'https://www.shoporama.dk/admin/oauth/login'
};

// Start OAuth flow
app.get('/oauth/start', (req, res) => {
    // Generer state til CSRF beskyttelse
    const state = crypto.randomBytes(16).toString('hex');
    req.session.oauth_state = state;
    
    // Byg OAuth URL
    const params = new URLSearchParams({
        client_id: OAUTH_CONFIG.client_id,
        redirect_uri: OAUTH_CONFIG.redirect_uri,
        state: state
    });
    
    const authUrl = `${OAUTH_CONFIG.oauth_endpoint}?${params}`;
    res.redirect(authUrl);
});

// OAuth callback handler
app.get('/oauth/callback', (req, res) => {
    const { token, state, error, error_description } = req.query;
    
    // Håndter fejl
    if (error) {
        console.error('OAuth Error:', error, error_description);
        return res.status(400).json({
            error: error,
            description: error_description
        });
    }
    
    // Verificer state
    if (state !== req.session.oauth_state) {
        return res.status(400).json({
            error: 'Invalid state parameter'
        });
    }
    
    // Gem token data
    req.session.oauth_token = {
        token: token,
        shop_url: req.query.shop_url,
        shop_name: req.query.shop_name,
        api_endpoint: req.query.api_endpoint,
        webshop_id: req.query.webshop_id,
        access_level: req.query.access_level,
        granted_at: new Date()
    };
    
    // Ryd state
    delete req.session.oauth_state;
    
    // Success response
    res.json({
        success: true,
        shop_name: req.query.shop_name,
        access_level: req.query.access_level
    });
});

// API kald med OAuth token
app.get('/api/products', async (req, res) => {
    if (!req.session.oauth_token) {
        return res.status(401).json({ error: 'Not authenticated' });
    }
    
    try {
        const response = await fetch(
            `${req.session.oauth_token.api_endpoint}/product?limit=10`,
            {
                headers: {
                    'Authorization': req.session.oauth_token.token,
                    'Accept': 'application/json'
                }
            }
        );
        
        const data = await response.json();
        res.json(data);
    } catch (error) {
        res.status(500).json({ error: error.message });
    }
});

app.listen(3000, () => {
    console.log('OAuth app running on port 3000');
});

Installation:

npm install express express-session
node app.js

Python/Flask Implementation

Python implementation med Flask framework

from flask import Flask, redirect, request, session, jsonify
import secrets
import requests
from urllib.parse import urlencode

app = Flask(__name__)
app.secret_key = 'your-secret-key'

# OAuth konfiguration
OAUTH_CONFIG = {
    'client_id': 'Min Shoporama App',
    'redirect_uri': 'https://example.com/oauth/callback',
    'oauth_endpoint': 'https://www.shoporama.dk/admin/oauth/login'
}

@app.route('/oauth/start')
def oauth_start():
    # Generer state til CSRF beskyttelse
    state = secrets.token_urlsafe(16)
    session['oauth_state'] = state
    
    # Byg OAuth URL
    params = {
        'client_id': OAUTH_CONFIG['client_id'],
        'redirect_uri': OAUTH_CONFIG['redirect_uri'],
        'state': state
    }
    
    auth_url = f"{OAUTH_CONFIG['oauth_endpoint']}?{urlencode(params)}"
    return redirect(auth_url)

@app.route('/oauth/callback')
def oauth_callback():
    # Hent parametre
    token = request.args.get('token')
    state = request.args.get('state')
    error = request.args.get('error')
    error_description = request.args.get('error_description')
    
    # Håndter fejl
    if error:
        return jsonify({
            'error': error,
            'description': error_description
        }), 400
    
    # Verificer state
    if state != session.get('oauth_state'):
        return jsonify({'error': 'Invalid state parameter'}), 400
    
    # Gem token data
    session['oauth_token'] = {
        'token': token,
        'shop_url': request.args.get('shop_url'),
        'shop_name': request.args.get('shop_name'),
        'api_endpoint': request.args.get('api_endpoint'),
        'webshop_id': request.args.get('webshop_id'),
        'access_level': request.args.get('access_level')
    }
    
    # Ryd state
    session.pop('oauth_state', None)
    
    return jsonify({
        'success': True,
        'shop_name': session['oauth_token']['shop_name'],
        'access_level': session['oauth_token']['access_level']
    })

@app.route('/api/products')
def get_products():
    # Check authentication
    if 'oauth_token' not in session:
        return jsonify({'error': 'Not authenticated'}), 401
    
    # Kald Shoporama API
    token_data = session['oauth_token']
    headers = {
        'Authorization': token_data['token'],
        'Accept': 'application/json'
    }
    
    response = requests.get(
        f"{token_data['api_endpoint']}/product?limit=10",
        headers=headers
    )
    
    if response.status_code == 200:
        return jsonify(response.json())
    else:
        return jsonify({'error': 'API request failed'}), response.status_code

if __name__ == '__main__':
    app.run(debug=True)

Installation:

pip install flask requests
python app.py

Troubleshooting & Common issues

Common OAuth errors

access_denied

The user was denied access. Show a friendly message and let them try again.

invalid_client

Unknown client_id. Check that your app name is correct.

invalid_redirect_uri

Redirect URI does not match. Must be the exact same URL.

state_mismatch

State parameter does not match. Possible CSRF attack or session timeout.

API errors

401 Unauthorized

Token is invalid or expired. Ask the user to log in again.

403 Forbidden

Token does not have the necessary rights. Check access_level.

429 Too Many Requests

Rate limit reached. Please wait until the next request.

500 Server Error

Internal error. Please try again later or contact support.

Debug tips

Test with OAuth Test Client

Use our test client to verify your OAuth flow is working correctly.

Test OAuth Flow →

Log all parameters

Log state, token and other parameters to debug issues.

Safety & Best Practices

Token storage

• Never store tokens in cookies or localStorage
• Use server-side sessions or encrypted database
• Encrypt tokens before storage
• Delete tokens when they are no longer used

CSRF protection

• Always use state parameter
• Generate unique state for each session
• Verify state in callback
• Timeout state after a short time

HTTPS required

• Only use HTTPS for redirect_uri
• All API calls must be over HTTPS
• Exception: localhost for development
• Check SSL certificate validity

Access levels explained

Level	Description	Allowed	Not allowed
read	Read access to all data	GET requests to all endpoints	POST, PUT, DELETE requests
write	Read and write data	All HTTP methods	Delete webshop, change ownership
all	Full administrator access	Everything including dangerous operations	Nothing - full control

Recommendation: Start with 'read' access during development and only upgrade to 'write' or 'all' when necessary for your application's functionality.

Complete API documentation

See all available endpoints, methods and parameters in our REST API documentation

See API Documentation

Create your shop

Book a call

Thank you for your inquiry!

Emergency situation

OAuth Integration

Hvad er OAuth?

Safe and secure

Nem integration

Fleksibel

OAuth Flow - Trin for trin

Send bruger til Shoporama

User logs in

Receive API token

Use the API

Klar til at komme i gang?

Komplette Implementeringseksempler

Vanilla PHP Implementation

Sådan bruger du det:

Laravel Implementation

Laravel Features:

Frontend JavaScript Implementation

Bemærk om CORS:

Node.js/Express Implementation

Installation:

Python/Flask Implementation

Installation:

Troubleshooting & Common issues

Common OAuth errors

access_denied

invalid_client

invalid_redirect_uri

state_mismatch

API errors

401 Unauthorized

403 Forbidden

429 Too Many Requests

500 Server Error

Debug tips

Test with OAuth Test Client

Log all parameters

Safety & Best Practices

Token storage

CSRF protection

HTTPS required

Access levels explained

Complete API documentation

Get tips for your webshop

Cookie settings

Necessary cookies

Analytics cookies

Marketing cookies