9 results found
-
Expose which user connected the organization via OAuth
Currently, we have no idea which user connected via OAuth. In other platforms (QB for once), you get details (especially email) of the user, and can design behavior based on it. In Xero, we get all the data on the users (with the new email address field), but we don't which user connected. If this will be exposed, it will give the developers more tools to create a more specific experience for the users
91 votesOAuth2.0 is now available including OpenID Connect. This allows you to retrieve the basic profile information for the authorising user. Check out the details here: https://developer.xero.com/documentation/oauth2/sign-in
-
Single Sign on provider
Allow users to sign into 3rd party applications using Xero as a single sign on provider (probably through OpenID).
43 votesYou can now use Xero as an SSO provider using OAuth 2.0 and OpenId Connect.
Check out the docs here: https://developer.xero.com/documentation/oauth2/sign-in
-
Provide an API to revoke the Add-on Authentication
It would be good to be able to permanently remove the add-on authentication access from the Xero ledger to clean things up when a user deletes an account.
21 votesHi everyone,
You can now revoke your your access tokens by making a POST request to the revocation endpoint.
Check out the details in the docs:
https://developer.xero.com/documentation/oauth2/auth-flow#revokeCheers,
Adam -
Allow user to connect to multiple organizations at once so we can query across multiple organizations.
Allow users to connect to multiple ornganizations at once so we can query across multiple organizations with one query.
8 votesBulk Connections has now been released to allow users to connect multiple organisations in one authorisation flow. It is available to all certified apps. See the App partner features page for more info
-
Come up to date with a more modern Authorisation Mechanism rather than using OAuth1.0a
oAuth1.0a was developed in 2009 and is so complicated it just doesn't make it a viable option to maximise the Xero API with any simplicity. Most organisations have at least moved to oAuth2.0.
How about it Xero, what's the chance of moving with the times?
7 votes -
API improvements for mobile devices
At the moment, the Xero API authentication model does not support authentication and connection via mobile devices in a practical way - the only option is the public application type giving 30mins of access.
While changes are not currently planned, please add your vote and use case here if you would like to be able to connect directly to the Xero API from a mobile application.
4 votesWith OAuth 2.0 we know support the PKCE auth flow which allows you to securely connect to the API directly from native mobile apps.
-
include an Id unique to the oAuth'enticated user
That will allow consumer apps to differentiate services based on the authenticated user (e.g. ACLs with app specific permissions).
4 votesIn a recent release we provided an Organisation shortcode which is a unique identifier of the Xero organisation you are connected to. http://developer.xero.com/v2-release-notes/#2.22
An API connection, though facilitated by a user, is tied to the organisation, not the user. This is why the shortcode is the most appropriate unique identifier within a connection.
-
Support Oauth2 'Client Credentials Flow' for server apps.
Major drawback of Xero Oauth2 is that the 'Client Credentials Flow' is not supported. This makes it impossible to implement server-side applications to interact with Xero because there is no user interaction at all. Lot of people have been complaining about this, and it's shocking that it is still not supported in May 2021!
1 voteYou can now integrate with client credentials using Custom Connections.
https://devblog.xero.com/introducing-custom-connections-72c32297382
-
Support TLS 1.2 on API connections
Xero has a good SSL configuration on the main app (A+ on SSL labs) but the api endpoint running older and weaker encyrption.
It appears to have some kind of TLS 1.2 support enabled but it drops after the initial hand shake which means that TLS 1.2 needs to be excluded as an option when negotitaing connections. Annoying having to set this up only for Xero.
1 voteTLS 1.2 has now been enabled on the API sites!
- Don't see your idea?