oAuth 2.0
Any chance Xero will support oAuth2.0 ?
oAuth1.0 and it's payload signing doesn't work very well in various environments including node.js
With rest of the world moving to oAuth 2.0 - I hope XERO does too
OAuth 2.0 is now required for all new integrations to Xero’s APIs.
Find all the details here https://developer.xero.com/documentation/oauth2/overview
-
Anonymous commented
Can I make my connections last longer with oauth 2.0 even if it is not a partner app ?
-
Gavin Stevens (Abode) commented
Works great, thanks Xero
-
Anonymous commented
Shipped 2 days ago! Looks like SDKs are coming soon, but docs are here now too
https://trello.com/b/cHoNWLSe/xero-platform-roadmap-for-developers
https://developer.xero.com/documentation/oauth2/auth-flow -
Tim Leggett commented
OAuth 1.0 has been officially deprecated as of April 20 2012 because of session fixation attack.
See https://developers.hubspot.com/docs/faq/oauth-1-deprecationThis means we can not integrate with applications that require OAuth2.0 for security reasons as they should not.
-
Anonymous commented
any update sir?
-
Peter Myers commented
Is there any update on this? Since the "We're working on it!" post, its been several months.
-
Jim Simmonds commented
Is there an update on Oauth 2.0 support yet.
-
Ash Guy commented
Anywhere we can subscribe to updates / register for notifications on this particular feature? As a platform critical feature and the core integration point for everyone it is something we need to be across the timeline and any movements for (I appreciate you don't want to give exact dates etc for obvious reasons).
-
Daniel Aldous-Critchley commented
Using OAuth 1.0a is simply unacceptable in 2018.
OAuth 1.0 is an 11 year old authentication mechanism and OAuth 1.0a, which is simply a security revision, is 9 years old.
I am trying to integrate to you from a platform that has gone further than just deprecating OAuth 1.0 and all variants including revision a, it has actually now prevented OAuth 1.0 authentication.
Come on guys! OAuth 2.0 is already 6 years old now.
-
Ash Guy commented
How are we going with this one?
-
Peter Myers commented
I noticed in Trello that this is on the midterm planned roadmap. This should get moved to near term. Its simply not acceptable that this hasn't been implemented yet. It makes integration development work horrible. Please...if you care at all about your developer base...implement this.
-
Barret Cunningham commented
Any updates on this?
It is really not acceptable that Xero being a cloud based software business hasn't implemented this yet.
We are trying to do some integration work and none of the modern integration platforms support OAuth1.0a and why would they everyone else in the world has moved to OAuth2.
-
Bjoern commented
The way OAuth 1.0a is used at Xero does not allow desktop or mobile apps to become partner apps because it would require the distribution of a private key in the app (which can be decompiled). I hope OAuth 2 will address this issue and allow mobile and desktop apps to become Xero partners (and allow access tokens longer than 30 minutes).
-
Leigh Barnes commented
Is there any update regarding moving to OAuth 2.0?
-
Anonymous commented
From RFC 6749: "This specification replaces and obsoletes the OAuth 1.0 protocol... This is an Internet Standards Track document." Moving from OAuth 1 to 2 is no longer optional. You are in breach of the regulations that govern your operations, and you must comply.
-
Anonymous commented
Holly lazy, move to oauth2.0 ! oauth1 requires the suer to accept the access token delivery in the authorization, opening a browser tab. thats nuts! we have to really do hacky things to make it work. sucks
-
Anonymous commented
Everyone from Stripe to Google uses OAuth 2. Xero's code samples are terrible. It's obvious that this is not about security, it's just about Xero not caring about their developers.
-
Anonymous commented
There are serious issues using OAuth1 and AppEngine... In fact I can't make it work. Using OAuth2 with other third party services I have no problems at all.
-
Anonymous commented
Any luck for oAuth 2.0?