Closed joshk6 closed 4 years ago
To clarify are we talking about an App Store disconnect scenario?
Yes, if you want to publish to the app store, according to the docs, if you have a login with intuit button on your application, you also need a to give the user a way to revoke those permissions and invalidate the refresh and access tokens if the user chooses, by calling revoke on the tokens. The other thing that would be handy to have is a method to interrogate openid to get the users details (email e.g.) if the user has logged in through intuit.
From: Christian Pelczarski notifications@github.com Reply-To: minimul/qbo_api reply@reply.github.com Date: Friday, January 4, 2019 at 6:18 AM To: minimul/qbo_api qbo_api@noreply.github.com Cc: "gobainbridge@gmail.com" gobainbridge@gmail.com, Author author@noreply.github.com Subject: Re: [minimul/qbo_api] No revoke method? (#94)
To clarify are we talking about an App Store disconnect scenario?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/minimul/qbo_api/issues/94#issuecomment-451455672, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ACb5DhW6li44khb0Pcpqhn6M75QJrpOZks5u_2LHgaJpZM4Zgt38.
PS. I was able the various client profile items using Farrady with the following code, and provided the following were added to the scope: of the access token:
client.authorization_uri(scope: 'com.intuit.quickbooks.accounting openid profile email phone address', state: state)
def self.get_profile(access_token) conn = Faraday.new(:url => 'https://sandbox-accounts.platform.intuit.com/v1/openid_connect/userinfo') do |faraday| faraday.request :url_encoded # form-encode POST params faraday.response :logger # log requests to $stdout faraday.adapter Faraday.default_adapter # make requests with Net::HTTP end
resp = conn.get do |req| req.url '' req.headers['Accept']='Application/json' req.headers['Content-Type']='application/json' req.headers["Authorization"]= "Bearer " + access_token req.headers["cache-control"]= "no-cache" end
jp=JsonParse.new(resp.body) unless jp.code.nil? if code="AuthenticationFailed"
end
end
profile={first_name: jp.givenName, last_name: jp.familyName, email: jp.email, street_address: jp.address.streetAddress, city_state: jp.address.locality, state: jp.address.region, zip: jp.address.postalCode, country: jp.address.country} profile
end
From: Christian Pelczarski notifications@github.com Reply-To: minimul/qbo_api reply@reply.github.com Date: Friday, January 4, 2019 at 6:18 AM To: minimul/qbo_api qbo_api@noreply.github.com Cc: "gobainbridge@gmail.com" gobainbridge@gmail.com, Author author@noreply.github.com Subject: Re: [minimul/qbo_api] No revoke method? (#94)
To clarify are we talking about an App Store disconnect scenario?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/minimul/qbo_api/issues/94#issuecomment-451455672, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ACb5DhW6li44khb0Pcpqhn6M75QJrpOZks5u_2LHgaJpZM4Zgt38.
Yes, if a user clicks on App Store Disconnect you'll need to trigger OpenID if that user is not logged in. I just use a redirect_to
e.g. redirect_to '/users/auth/intuit_disconnect'
P.S. Soon, this library will have more proper OAuth2 conveniences including OpenID Connect support but now it is DIY as you have found out.
From what I can see, the call to revoke the tokens needs to go to the revoke endpoint not to the disconnect endpoint. From what I can see “revoke” has replaced “disconnect” in oauth2
From the documentation:
POST https://developer.api.intuit.com/v2/oauth2/tokens/revoke HTTP/1.1 Accept: application/json Authorization: Basic UTM0dVBvRDIwanp2OUdxNXE1dmlMemppcTlwM1d2 NzRUdDNReGkwZVNTTDhFRWwxb0g6VEh0WEJlR3dheEtZSlVNaFhzeGxma1l XaFg3ZlFlRzFtN2szTFRwbw== Content-Type: application/json
{ "token": "{bearerToken or refreshToken}" }
From: Christian Pelczarski notifications@github.com Reply-To: minimul/qbo_api reply@reply.github.com Date: Friday, January 4, 2019 at 12:09 PM To: minimul/qbo_api qbo_api@noreply.github.com Cc: "gobainbridge@gmail.com" gobainbridge@gmail.com, Author author@noreply.github.com Subject: Re: [minimul/qbo_api] No revoke method? (#94)
Yes, if a user clicks on App Store Disconnect you'll need to trigger OpenID if that user is not logged in. I just use a redirect_to e.g. redirect_to '/users/auth/intuit_disconnect'
P.S. Soon, this library will have more proper OAuth2 conveniences including OpenID Connect support but now it is DIY as you have found out.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/minimul/qbo_api/issues/94#issuecomment-451554931, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ACb5Dm7PdYvkXpVZSNMWUOMYxVMv02qBks5u_7UOgaJpZM4Zgt38.
OAuth2 revoking will not be handled in this gem.
See my article that discusses revoking.
According to the Intuit docs, it looks like its required to provide users of Appstore apps to provide a mechanism for users to revoke permission for the app to access the qb company. It doesn't look the like the "disconnect" api method (which returns an error when I try it) achieves what intuit requires. It seems to require a post to a intuit url ending in "revoke" which I don't see.
Any chance of putting that in the api? You can't really publish anything via Intuit without it.