Jump to content

VATSIM Connect Discussion

Zach Biesse-Fitton

Recommended Posts

Hi @Ilya Pyankov,

That error is caused when an organisation is not active. If you just signed up your organisation will still be pending approval. 

Please ensure that you've met the requirements that we're displayed when you created the organisation. Once these requirements have been met, the VATSIM IT department can process your organisation. If you have any issues don't hesitate to drop a reply here or get in contact with the web team or myself via email. 

Hope this helps


Harrison Scott
VATSIM Web Developer
Director Operations, VATSIM Australia Pacific
[email protected]



Link to comment
Share on other sites

  • 2 months later...
On 4/28/2020 at 9:45 AM, Harrison Scott said:

Hi Guys,

@Mike Welten We could facilitate Active/Inactive, Reg Date and suspended (Should be their rating, I'll investigate the demo account).

@Calum Towers Reg date can certainly be added, I'll add it to the list.

Thanks for your feedback on Connect, I'll get back to you all ASAP.



Hi Harrison,

Is there any estimation date regarding the reg date?


Link to comment
Share on other sites

On 4/26/2020 at 8:28 PM, Blake Nahin said:

It seems that after redirecting back from VATSIM, if successful, the return URL does not include the state parameter. It only has code. The state parameter is only included if access is denied.

(Reposted from the other forum since it seems this is where questions should be)

Is there any update regarding this issue as well?


Blake Nahin

VATUSA Data Services Manager


Link to comment
Share on other sites

  • 2 weeks later...

Good day gents.


I am a complete noob when it comes to oauth. I want to implement it with discord and also with moddle for our atc and pilot training.

But lets tackle Discord first.

What should my settings look like for the oauth to work. I get as far as the discord login, but after that dismal failure.

Thanks very much.





Link to comment
Share on other sites

  • 1 month later...

I am wondering if an application separates front-end and back-end, how do we integrate VATSIM Connect into it? 

I did some searching for this and inspired by a question on StackOverflow (I like the flowchart! Re-post it below). Now my guess is that the whole process of the authorization will be divided into these steps below. Please correct me if I am wrong.

  1. User clicks the "Login" button on the front-end. The application redirects the user to /authorize endpoint.
  2. VATSIM Connect returns an authorization code.
  3. The front-end sends the authorization code to the backend.
  4. The backend uses the code and sends a POST request to VATSIM for access_token and refresh_token
  5. VATSIM responses with access_token and refresh_token
  6. The backend uses access_token and gets user information from VATSIM, then generate a token, which is used to communicate with the front-end.
  7. The backend returns the token to the front-end.

But then here comes the questions. Note that there may be more than one versions of front-end (e.g. Web App, iOS app, Android App, etc.) for the backend, and the front-end may not be under the same domain as the backend (CORS issue).

  1. What credentials should be included as parameters in the requests for each step above? I would put my guess here.
    1. From the documentation, for /authorize, at least "response_type", "client_id", "redirect_uri" and "scope" are needed.
    2. VATSIM Connect returns as with "code" for authorization code.
    3. For the communication between front-end and backend, at least "code" is required. It also needs to send "client_id" to the backend.
    4. To use /token endpoint, "client_id", "client_serect", "code" are needed.
    5. VATSIM Connect returns "access_token" and "refresh_token" in the response
    6. To use /user endpoint, "access_token" is required
    7. The backend returns "token" to the front-end.
  2. Where should the "client_id" get stored? Or use different "client_id" for each version of front-end? This may lead to a different answer to 1.3 above.
  3. Where should the "client_secret" get stored? This may also affect the answers above.
    1. If the front-end is a web application, apparently storing it there is not a safe option.
    2. If storing it in the backend, what should the "redirect_uri" be set to? (front-end/backend)

The question appears as in the OAuth 2 standard (RFC6749), the authorization server should also support "response_type=token", allowing a client can directly get a short-lived access_token to gain user data, while VATSIM Connect only supports for "response_type=code". This requires the usage of "client_secret", which is not suitable to be exposed in a web application. But I think the process above should (almost!) solve the problem, except that there may still be some security issues existing. 


Wenlue Zhang | Contact me

Senior Controller (C3)
P.R.China Division Webmaster (VATPRC8) 


Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now

  • Create New...