Xero OAuth2 Node API - Where does the API use the authorisation code provided to the callback?

Question

I have followed the flow described here https://developer.xero.com/documentation/oauth2/auth-flow and can then get a tokenset which works with api requests.

However, looking at https://github.com/XeroAPI/xero-node-oauth2-app/blob/master/src/app.ts I don't see how/where the authorisation code provided to the callback is used to obtain the tokenset. (compare with Steps 2 & 3 of the auth-flow.)

Looking at https://github.com/XeroAPI/xero-node/blob/master/src/XeroClient.ts I think that apiCallback() looks like it should be the place - but nowhere any mention of the authorisation code.

score 1 · Answer 1 · answered Mar 30 '20 at 09:06

1

The example provided (and the Xero client) relies on express being the handler framework. In any other scenario there is a lot of legwork required to imitate that.

Then finally I also discovered that the Xero client insists on using openid scope otherwise the client simply doesn't work. Nothing in the docs to either indicate this, or explain why this restriction is built-in.

answered Mar 30 '20 at 09:06

exception

569
7
20

It turned out that the handling of `openid` scope was a bug, which has now been fixed. – exception Jun 27 '20 at 13:20

score 0 · Answer 2 · answered Mar 27 '20 at 23:26

0

The xero-node package uses the openid-client package, which retrieves the code and uses it to get the token set here: https://github.com/panva/node-openid-client/blob/master/lib/client.js#L461-L481

answered Mar 27 '20 at 23:26

rustyskates

856
4
10

I'm guessing that `code` must be part of `callbackUrl` at https://github.com/XeroAPI/xero-node/blob/master/src/XeroClient.ts#L89 But I'm still not clear on where that comes from. – exception Mar 27 '20 at 23:40

score 0 · Answer 3 · answered Mar 28 '20 at 16:54

can you elaborate on what you mean by authorization code? You are correct that the apiCalback fn returns the tokenSet which you should be saving in your database associate with each user.

const tokenSet: TokenSet = await xero.apiCallback(req.url);

One of the benefits of using the SDKs is that you don’t have to do that code exchange step. The openid client handles that exchange for you. If you are to roll your own with solution you will have to follow all the steps as described in the first documentation link ^^

— code a temporary code that may only be exchanged once and expires 5 minutes after issuance.

I mean ` authorization code` as per the OAuth2 Flow (link above.) — exception, Mar 31 '20 at 15:29

score 0 · Answer 4 · answered Jun 27 '20 at 13:19

So lets look at https://developer.xero.com/documentation/oauth2/auth-flow again.

Step 1 looks simple enough, but but eventually I opted to go with https://developer.xero.com/documentation/oauth2/sign-in

That reference also shows how Step 2 should be performed, something the first link omitted.

However, if you then switch back to the 1st link you'll find the next Steps easier to follow.

Xero OAuth2 Node API - Where does the API use the authorisation code provided to the callback?

4 Answers4