7 results found
Currently, we have no idea which user connected via OAuth. In other platforms (QB for once), you get details (especially email) of the user, and can design behavior based on it. In Xero, we get all the data on the users (with the new email address field), but we don't which user connected. If this will be exposed, it will give the developers more tools to create a more specific experience for the users236 votes
OAuth2.0 is now available including OpenID Connect. This allows you to retrieve the basic profile information for the authorising user. Check out the details here: https://developer.xero.com/documentation/oauth2/sign-in
Allow users to sign into 3rd party applications using Xero as a single sign on provider (probably through OpenID).97 votes
You can now use Xero as an SSO provider using OAuth 2.0 and OpenId Connect.
Check out the docs here: https://developer.xero.com/documentation/oauth2/sign-in
It would be good to be able to permanently remove the add-on authentication access from the Xero ledger to clean things up when a user deletes an account.43 votes
You can now revoke your your access tokens by making a POST request to the revocation endpoint.
Check out the details in the docs:
At the moment, the Xero API authentication model does not support authentication and connection via mobile devices in a practical way - the only option is the public application type giving 30mins of access.
While changes are not currently planned, please add your vote and use case here if you would like to be able to connect directly to the Xero API from a mobile application.8 votes
With OAuth 2.0 we know support the PKCE auth flow which allows you to securely connect to the API directly from native mobile apps.
That will allow consumer apps to differentiate services based on the authenticated user (e.g. ACLs with app specific permissions).5 votes
In a recent release we provided an Organisation shortcode which is a unique identifier of the Xero organisation you are connected to. http://developer.xero.com/v2-release-notes/#2.22
An API connection, though facilitated by a user, is tied to the organisation, not the user. This is why the shortcode is the most appropriate unique identifier within a connection.
Major drawback of Xero Oauth2 is that the 'Client Credentials Flow' is not supported. This makes it impossible to implement server-side applications to interact with Xero because there is no user interaction at all. Lot of people have been complaining about this, and it's shocking that it is still not supported in May 2021!3 votes
You can now integrate with client credentials using Custom Connections.
Xero has a good SSL configuration on the main app (A+ on SSL labs) but the api endpoint running older and weaker encyrption.
It appears to have some kind of TLS 1.2 support enabled but it drops after the initial hand shake which means that TLS 1.2 needs to be excluded as an option when negotitaing connections. Annoying having to set this up only for Xero.1 vote
TLS 1.2 has now been enabled on the API sites!
- Don't see your idea?