How do you format an Oauth 2.0 request to include scopes

Question

I am writing a PHP web program that needs to access and edit people's info on lichess.org. Their api uses Oauth 2.0 to do this. The problem is no matter what I put in the request it only seems to request public profile information:redirect page screenshot. I think I may be formating the url incorrectly but I can't figure out how because the example code is in JavaScript and I'm less familiar with that. Here is a snippet of the code I'm using to format the string:

$scopes = "email:read%20preference:write";
$state=generate_string(20);
$authorize_url = "https://oauth.lichess.org/oauth/authorize";

function getAuthorizationCode() {
        global $authorize_url, $client_id, $callback_uri;

        $authorization_redirect_url = $authorize_url . "?response_type=code&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=" . $scopes . "&state=".$state;

        header("Location: " . $authorization_redirect_url);

}

And to generate the state string I'm using this helper function

    function generate_string($strength,$charset='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ') {
    $Length = strlen($charset);
    $random_string = '';
    for($i = 0; $i < $strength; $i++) {
        $random_character = $charset[mt_rand(0, $Length - 1)];
        $random_string .= $random_character;
    }

    return $random_string;
}

And sure enough, when I actually try to request the resource the response is "missing scope". I'm using:

$lichessurl = "https://lichess.org/api/account/email";
function getAccessToken($authorization_code) {
        global $token_url, $client_id, $client_secret, $callback_uri;

        $authorization = base64_encode("$client_id:$client_secret");
        $header = array("Authorization: Basic {$authorization}","Content-Type: application/x-www-form-urlencoded");
        $content = "grant_type=authorization_code&code=$authorization_code&redirect_uri=$callback_uri";

        $curl = curl_init();
        curl_setopt_array($curl, array(
                CURLOPT_URL => $token_url,
                CURLOPT_HTTPHEADER => $header,
                CURLOPT_SSL_VERIFYPEER => false,
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_POST => true,
                CURLOPT_POSTFIELDS => $content
        ));
        $response = curl_exec($curl);
        curl_close($curl);

        if ($response === false) {
                echo "Failed";
                echo curl_error($curl);
                echo "Failed";
        } elseif (json_decode($response)->error) {
                echo "Error:<br />";
                echo $authorization_code;
                echo $response;
        }

        return json_decode($response)->access_token;
}

in order to do that.

Answer 1

The reason why you're not getting the scopes in your url string is because you need to declare it in your global.

$scopes = "email:read%20preference:write";
$state=generate_string(20);
$authorize_url = "https://oauth.lichess.org/oauth/authorize";

function getAuthorizationCode() {
        global $authorize_url, $client_id, $callback_uri, $scopes;

        $authorization_redirect_url = $authorize_url . "?response_type=code&client_id=" . $client_id . "&redirect_uri=" . $callback_uri . "&scope=" . $scopes . "&state=".$state;

        header("Location: " . $authorization_redirect_url);

}