[SOLVED] oAuth For ChatGPT Plugins…
Once in the ChatGPT Plugin store, go to “Develop your own Plugin”.
Add the domain or subdomain including https for the Plugin that requires oAuth.
Click “Find manifest”.
If the manifest and OpenAPI spec validates, then under “Enter your OAuth credentials:” enter:
A Client ID and Client Secret — these can be anything but you will need to compare them at later with your authorization_url code (more on this to come).
Click “Next”
ChatGPT will give your a “verification token”.
Add the “verification” token to your manifest file under:
“verification_tokens”: {
“openai”: “HERE”
}
Click “Verify tokens”.
Click “install for me”.
Click “Continue”.
Click “Log in with Auth”.
This will then redirect you to the client_url in your manifest appended at the end like this:
?response_type=code&client_id=1&redirect_uri=https%3A%2F%2Fchat.openai.com%2Faip%2Fplugin-THE-PLUGIN-ID-WILL-BE-HERE%2Foauth%2Fcallback&scope=&state=15014bf5-e45f-45d8–816f-ff1e4da87e81
That append is broken down into:
1) response_type => code
2) client_id => WHAT YOU ENTERED IN THE PREVIOUS STEP
3) redirect_uri => https://chat.openai.com/aip/plugin-THE-PLUGIN-ID-WILL-BE-HERE/oauth/callback
4) scope =>
5) state => STRING HERE
The Plugin user must validate their login credentials (email and password) with your database.
Assume they do it correctly!
You then need to redirect a successfully logged-in user to: https://chat.openai.com/aip/plugin-THE-PLUGIN-ID-WILL-BE-HERE/oauth/callback
However, you MUST, append the redirect_uri ChatGPT gave you previously (https://chat.openai.com/aip/plugin-THE-PLUGIN-ID-WILL-BE-HERE/oauth/callback) with a “code”.
It will look like this:
https://chat.openai.com/aip/plugin-THE-PLUGIN-ID-WILL-BE-HERE/oauth/callback?code=1234567890
“Code” should be unique to each user and can be any integer, but you will need to compare it later with your database.
The redirect_uri ChatGPT gave you previously with your appened “code” (e.g. https://chat.openai.com/aip/plugin-plugin-THE-PLUGIN-ID-WILL-BE-HERE/oauth/callback?code=666) will redirect automatically after a few seconds to:
Make sure loginSuccess equals true.
If it equals false you’ll get an error in orange text in ChatGPT saying the Plugin cannot be installed — this is because you forgot to append ?code=…
As soon as ChatGPT automatically redirects to https://chat.openai.com/?model=gpt-4-plugins&loginAip=plugin-THE-PLUGIN-ID-WILL-BE-HERE&loginSuccess=true with loginSuccess equals true, it will also send a POST request to the authorization_url in your manifest as JSON like:
{‘grant_type’: ‘authorization_code’, ‘client_id’: ‘THE ONE YOU SET BEFORE’, ‘client_secret’: ‘THE ONE YOU SET BEFORE’, ‘code’: ‘THE ONE YOU SET BEFORE’, ‘redirect_uri’: ‘https://chat.openai.com/aip/plugin-THE-PLUGIN-ID-WILL-BE-HERE/oauth/callback'}
In the code of the authorization_url, you will need to make sure the client_id and client_secret are the same as you set previously when you installed the Plugin as the deployer.
You will also need to check that “code” also exists in your database for a valid unique user.
Assuming all three are true, you will then need to render a JSON output on the authorization_url that includes at a minimum:
{ “access_token”: “example_token”, “token_type”: “bearer”, “expires_in”: 59, }
The access_token should be unique per user.
This JSOO output will then be passed back to ChatGPT and stored with the Plugin and user.
Each time the logged-in user (to your oAuth flow outlines to now) users the Plugin, ChatGPT will pass the access_token from the JSON output from the authorization_url as a GET request to your Plugin endpoint as:
“Authorization: Bearer ACCESS-TOKEN-FROM-AUTHORIZATION_URL”
Your Plugin should then check this access_token against your database to make sure the logged-in user is still in your database.
Every expires_in in the interval, ChatGPT will continue to take a POST request to the authorization_url to get the access_token.
If you take the user out of your database, the authorization_url will no longer render the JSON output with the access_token and the user will no longer back able to use your Plugin.
