For further clarity, I am not building on top of the WooCommerce Square plugin. I am making a wholly separate Square integration for a wholly separate e-commerce plugin. I am simply using their plugin as direction/inspiration for my code.
My plugin: www.sunshinephotocart.com - totally separate from WooCommerce.
My OAuth sends people from their own WordPress admin to my website at www.sunshinephotocart.com, builds the OAuth URL, gets the response with “code”, forwards them back to their own WordPress website admin - just like the WooCommerce plugin does.
This is as far as I have got. I am trying to set up the same thing the WooCommerce Square plugin does which somehow at this point saves some encrypted token (I am not clear on what token it actually is from) and is able to make connections to the API to list locations or create payments. The difference I can see is that they do not use an application fee so I am not sure if I have to do to things differently as a result.
You pointed out that the “code” is then used for an ObtainTokenRequest but this requires an Application ID and Secret. Nowhere in the WooCommerce Square plugin does it make this request - how are they able to get around this? Is there a way to OAuth so you don’t need these two values?