What is the way forward for this in light of deprecation of

[WhatFreshHellIsThis]

oAuth 1.0 and the more imminent deprecation of OpenID 2.0?

[nimisha84]

We support only server side apps for Oauth2. For desktop apps, you will have to use this workaround.

There is no way to bypass the Oauth process. You will have to do it at least once to make api calls. So, if you have a desktop app/service then you can use Postman or Oauth2 playground we have, add the app keys and then get the Oauth2 tokens.

Ask your customers of the desktop apps to create developer account-> get prod oauth2 keys and use them on OAuth playground atleast once to get tokens first time. Hardcode them in your application. Then keep on refreshing access token using refreshtoken api call until refresh token expires in 100 days. Then again get new access tokens by playground or postman and repeat api calls until refresh token expires. This would be a cycle of hardcoding tokens every 100 days. Always save the latest refresh token in your code as once used refresh tokens can expire in 24hrs.

OAuth2 playground-https://developer.intuit.com/v2/ui#/playground

On the developer.intuit.com->Your app tab->Keys->Add this redirect url under your Prod app keys->Redirect url-https://developer.intuit.com/v2/OAuth2Playground/RedirectUrl

Postman- https://developer.intuit.com/docs/0100_quickbooks_online/0400_tools/0012_postman

On the developer.intuit.com->Your app tab->Keys->Add this redirect url under your Prod app keys ->Redirect url-https://www.getpostman.com/oauth2/callback

1)You get access token and refresh token manually using Postman or your web code where user authorizes 2)You hard code TOKENs in your code by saving the access token and latest refresh token in DB/permanaent store as access token expires every 1 hr and refresh token every 24hrs. 3)You can make calls without User interaction after refreshing access token using refresh token api once you get the access token from step 1 . 4)Every time refresh token api is called(check any of the web sample apps for oauth2 here-https://github.com/IntuitDeveloper), you have to save the latest value for access token and refresh token in DB. 5)Use the latest refresh token to get new access token and this process continues until 100 days. 6)Then again start with getting a new access token or whenever you have an expired token for various reasons. You will get a 401 error when access token expires or a 400 error when refresh token call fails to refresh access token. Read details in the docs - https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization.

[WhatFreshHellIsThis]

Thank you for replying, I'm a little confused here and appreciate some clear information if possible:

1) We make an add-on product for our commercial product that allows our users to integrate with QB Online. Are you saying our end users who are customers of our software will need to use Postman or are you saying that for scenarios where consultants are making custom software for others?

2) How does the oAuth2 affect this github repository, is it now obsolete?

3) We can and do have the ability to make a web application, is there an easier flow for this that would involve some kind of portal we make as a web application that can be called by our desktop client to handle authentication and then pass something back to the desktop client? I.E. if we want to make minimal changes to our existing integration product can we workaround issues for our end users if we enlist some kind of process using our own web server to do the initial authentication then the desktop client can make direct calls to the QB Online api using those creds?

4) Will desktop applications that use this github project and DesktopIppOAuth.NET40 1.3.0.0 and DevDefined.OAuth 1.0 assemblies for the oAuth 1.0 authentication break on May 31 2019?

[nimisha84]

1) Yeah, I meant for both scenarios if at all you want to have a desktop installable for each of your customer with their own tokens/keys. They can even use Oauth playground too. 2) Yeah, this one is obsolete 3)This is the best approach actually. Create a web app and ask your desktop customer to login first time and you give them access token and refresh token which they can plugin in their desktop copy of code/installable. 4) Oauth1 will continue to work until Dec 2019. Only the sign in flow using OpenId 2.0 is deprecating. So, you you can use Open Id connect . Or just do Oauth2 completely using OpenId Connect. Check docs here- https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/openid-connect

[smszeyll]

Hello, Based on what WhatFresh said above, I just want to verify we can do the following:

1. Create a web server that a desktop application can call to get the qboe authentication credentials.
2. The desktop app can then call qboe directly with the authentication credentials.

If the above is correct, what requirements would our customers desktop application need to then communicate directly with qboe?

If the above is not correct, does that mean we need to pass all information through the webserver? For example:

1. Desktop application queries for customers in qboe, send this request to web server
2. Web server sends the request to qboe
3. Qboe sends back to web server
4. Web server sends back to desktop application

[nimisha84]

Your first workflow is correct. Have a web server for just authenticating and authorizing QBO admin users and get their access tokens and refresh token for first time. The admin user can then plug that in your installable/desktop app they have and your code should internally handle refreshing of tokens.Make sure your code save latest access token and refresh token always and uses the latest refresh tokens value to get new access tokens

[smszeyll]

Hi, Thanks for the reply.

Can you point me to the correct documentation or sample .c#/.net resources for communicating with QBOE from a Desktop application. The online app documentation is easy to follow, but I am unsure what is the most up to date desktop/c# to qboe documentation.

[nimisha84]

The same steps as suggested above will work. Please follow those. You can check a wiki created by one of our external devs- http://relasoft.net/KB10004.html

Please be sure to thank him.

[smszeyll]

Hello, Thanks for the help and link. I have gotten this to work. I have one problem however. Occasionally the Access Token needs to be refreshed. The access token is supposed to be good for 100 days.

What are the conditions where a access token would need to be refreshed other than the 100 day time limit? Thanks