allow longer term OAuth access
It would be great to have access to Xero that is useful for web applications and server processes - as described in the release notes :)
Any mac developers having issues with partner apps while developing please contact email@example.com for assistance.
Any timescales on this yet ? - Would love to use Xero for our accounts but unless we can integrate server side with either a permanent OAuth token or at least a 6 month/yearly one, not much point.
Dan Rucci commented
I would really like so PHP code on how to use oAuth... there must be a nice wrapper around the use of this to connect and then make requests etc.... if anyone can help Id love some help.
Phillip Haines commented
The OAuth authentication is great and I think it enhances the usability of interoperability between web applications. I think you guys are really onto a great start here. However I have some concerns around the user experience of authentication tokens that time out.
I think permanent tokens with an ability for the user to revoke access to an application is the way to go with this type of API. Having short authentication periods would be frustrating for me as a user and longer authentication periods would be confusing when the integration fails after a long period of successful running, particularly for a background process.
I can see some use cases for tokens which time out after a relatively short period of time for applications that don't really hold state between executions, perhaps a time out parameter could be added to the request token URL with indefinite as an option. The user could then make an informed decision on how other applications access their data. This in combination with the ability to revoke access to an application I believe would cover off requirements of risk management and privacy concerns.
I'm looking forward to seeing the solution you guys come up with.
@Paul it is our intention to allow people to opt for long term tokens when they set up their application (given a couple of extra privacy requirements) and then any user that wants to set up a longer term token will be given that option (they will choose how long a token lasts, from 3 hours to a year we think at the moment)
@Andy the long term token support is just reliant on some infrastructure changes we want to get in with regards to certificate generation and PKI management. this is not a super quick thing so may well take more than a couple of weeks, but we're trying.
We appreciate that communication has been lacking while we've been busy squirrelling away at v2. we do intend for that to change. Please follow us on twitter (@XeroAPI) or send an email to firstname.lastname@example.org if you want a more immediate response.
Andy Cowan commented
Can anyone at Xero give a rough idea of timescale on this one - again, like the payments suggestion, it's really a bit difficult to make anything useful with the API without this. I'm just trying to work out wether to gamble on Xero supporting this in the near future (by which I mean days/weeks) or switch to a 'less preferred' option... With the payments issue, I woke up one morning to find it was fixed, with no heads-up from you guys. Some communication would really be appreciated here...
Paul Chilton commented
could the application pass in a 'long term token request' parameter along to the authorize URL, so that the user is prompted (via a checkbox) to allow the application long term access? Similar to a 'remember me' type functionality.
eg Username, Password, "allow application access for 1 year" tickbox as part of the OAuth processing.
Ok just to clear up some confusion from these comments.
It IS our intention to start supporting long term tokens (these will not be "forever" but will be significantly long in length, essentially being permanent tokens)
At the moment we have some requirements to sign off from a risk management/privacy point of view. Then we will be opening up to these kind of applications.
this is a really high priority for us as we appreciate the use of the API is a little lacking without.
We wanted to get api v2 out the door rather than wait for the infrastructure requirements beforehand.
So we hear you and we're working on it as soon as we can.
I develop for seven companies which could end up using Xero if it were possible to have permanent OAuth tokens or a return to pre-shared keys. This is a major road block for our automated reporting systems and has left some of us a bit shocked and angered that it does not exist already.
A classic example of how 30 minute expiry blocks a useful application:
We cannot pull a invoices which have been entered into Xero and automatically match them up in our purchase ordering system. Instead user interaction is required, preventing this from being a nightly, automatic task based on the invoice reference field.
It is stated that this expiry is to prevent the tokens from being intercepted or “lifted”. I have noted that it is possible to store a users credentials and simulate a browser logging into the Xero site and obtain a new token. Given that this is possible, it will undoubtedly lead to some developers storing Xero user account credentials on disk making this measure ineffective anyway.
Why not give us a way to obtain a new token before it expires and invalidate the old one?
Wayne Robinson commented
I agree totally. Every single application I have on the drawing board requires a permanent OAuth token. Even the currently implementation is very annoying for users as tokens expire after 30 minutes, even if the user has been active.
Given users can revoke tokens at any point through the web interface, there should be little risk in allowing permanent tokens.
If Xero still does not wish to provide permanent tokens, you could provide longer expiry (say 14 day) tokens with an automated re-subscription mechanism for the API to renew it's token whilst expiring the old one without requiring user interaction (reducing the risk of a token being stolen from the application's database).
Michael Koziarski commented
Most of the use cases I have for the xero api are for wiring up my *own* applications' billing into *my* xero account. This would let me use xero as the platform for all the tracking I need to do for financial stats. For this I should be able to do a one off authentication token rather than re-authing every single time I want to do anything.