1

The scenario

So I am building an app that should display data from my Xero account to the users. Users should not be able to login via OAuth2 to my web app so that's why I need persistent auth token that is independent from the users login. The current API authentication implementation from Xero does not allow that and the token expires in 30 minutes so I need a way to do this somehow in the background or with any kind of persistent token (which is not available as I can see in their docs for Auth)

Stack

I am using Laravel with the package Xero Laravel and this one's using the XeroPHP package in its core as dependency. Currently I am using Postman to do refresh token requests and I am adding the token manually (for testing purposes of course). This should not be the case when it goes on production, though. So I need a way to somehow "store" or refresh the token globally for the whole app and using only my account as an Authorization to Xero.

Problem summary

My web app need to fetch data (invoices data in particular) from my Xero account and no OAuth tokenization is required for the users (since I am using the native Laravel Auth for this purpos) that are going to read this data in a GUI.

How should I accomplish this without OAuth2 (if there is any way) or how I can do this if only my account is the "global" one for the app?

Momondo
  • 306
  • 1
  • 2
  • 10
  • 1
    My understanding is that you cannot do it without OAuth2 now. But you can generate the Access Token and Refresh token with only a single instance of user interaction (which you could do yourself) and then keep refreshing after the token expires. See this video for an idea: https://www.youtube.com/watch?v=Zcf_64yreVI&t=1s when using machine to machine connections. – droopsnoot May 13 '20 at 11:46
  • @droopsnoot thanks for this manual. I already set this up but I was wondering what's the best way to store the access_tokens on Laravel (PHP) side after they are refreshed. I was thinking about Redis (in memory db caching) but not sure if that's the best idea... – Momondo May 13 '20 at 12:10
  • Ah, sorry, I know a bit of PHP but have no experience with stuff like Laravel (I've heard of it, but no idea what it actually is / does). In VB I just store them in the application settings file, or a text file would do just as well. – droopsnoot May 13 '20 at 12:20

1 Answers1

1

The other comments are correct that there is an initial required step to have the user that you are calling API endpoints on behalf of to authorize your API application.

Once you have their valid token_set ( access_token, refresh_token, expiry, etc.. ) you can store that securely and continue making offline_access api calls on their behalf. Note that you must programmatically refresh the token_set at least once every 60 days for it to remain valid.

I'd also recommend checking out the Xero supported libraries for help getting started quickly:

Thanks to @droopsnoot for linking the video explaining how this works:

SerKnight
  • 2,502
  • 1
  • 16
  • 18