on curl "connect.stripe.com/oauth/token" it will get no response

Question

https://connect.stripe.com/oauth/authorize?response_type=code&client_id=ca_XXXXXXXXXXXXXXXXXXXXXX&scope=read_write

from the above mentioned api I get the code.

$code = $_GET['code'];

from this code I curl this http://connect.stripe.com/oauth/token but the problem is that it is not getting any response

     echo $code;

$token_request_body = array(
    'grant_type' => 'authorization_code',
    'client_id' => 'ca_xxxxxxxxxxxxxxxxxxxxx',
    'code' => $code,
    'client_secret' => 'XXXXXXXXXXXXXXXXXXX'
);

define("TOKEN_URI", "http://connect.stripe.com/oauth/token");

$req = curl_init(TOKEN_URI);
curl_setopt($req, CURLOPT_RETURNTRANSFER, true);
curl_setopt($req, CURLOPT_POST, true);
curl_setopt($req, CURLOPT_POSTFIELDS, http_build_query($token_request_body));

// TODO: Additional error handling
$respCode = curl_getinfo($req, CURLINFO_HTTP_CODE);
echo $respCode;
$resp = json_decode(curl_exec($req), true);
echo $resp;
curl_close($req);

echo $resp['access_token'];

Answer 1

Your code sends the code to the endpoint over plain HTTP which is something that is forbidden by spec and the server should not return the tokens. The example code at stripe.com also shows an HTTPs URL. Switch:

define("TOKEN_URI", "http://connect.stripe.com/oauth/token");

to:

define("TOKEN_URI", "https://connect.stripe.com/oauth/token");

FWIW: the plain HTTP URL actually redirects to HTTPs which is something your client doesn't handle, and it shouldn't since it would be insecure and a violation of the spec.