3

I have the Xero API setup and the OAuth flow working. I have linked up the "Demo Company UK" as the tenant (Organisation) and have granted my user with Adviser • Contact bank account admin, Payroll admin • Expenses (Admin) permissions (which appears to be the highest level) located here: https://go.xero.com/Settings/Users but I still get the following error. "You are not permitted to access this resource" I have added all the scopes that should cover the requests and have a valid access token but still no good.

'client_id'     => env('XERO_CLIENT_ID'),
'client_secret' => env('XERO_CLIENT_SECRET'),
'redirect_uri'  => env('XERO_REDIRECT_URI'),
'scope'         => 'openid email profile offline_access accounting.transactions accounting.contacts accounting.contacts.read accounting.reports.read',

Example function making a basic call to get the users within the account. The connection to Xero is fine but as soon as I try to request any data the same error is thrown.

public function testXero() {
        $xeroAccessToken = GlobalSetting::where('name', '=', 'xero_access_token')->first();
        $xeroTenantOrganisation = GlobalSetting::where('name', '=', 'xero_tenant_organisation_id')->first();

        $xero = new XeroApp(
            new AccessToken(
                array(
                    'access_token' => json_decode($xeroAccessToken->value)->id_token
                )
            ), $xeroTenantOrganisation->value
        );
        //dd( $xero ); //we have a succesfull connection here...
        
        # Retrieve all contacts
        $contacts = $xero->contacts()->get();                               

        dd($contacts); //error "You are not permitted to access this resource".
 }

Has anybody encountered this issue?

Nick Howarth
  • 511
  • 4
  • 21

3 Answers3

4

The issue is that I was passing id_token when making a new XeroApp class instance. I failed to see all the other objects in the JSON object stored in the Database (very large). There is an actual access_token that is stored along with some other useful bits of information that I make within my call.

$xero = new XeroApp(
    new AccessToken(
        array(
            'access_token' => json_decode($xeroAccessToken->value)->access_token,
            'refresh_token' => json_decode($xeroAccessToken->value)->refresh_token,
            'expires' => json_decode($xeroAccessToken->value)->expires,
        )
    ), $xeroTenantOrganisation->value
);

$contacts = $xero->contacts;

dd($contacts);//RESULTS!!! YES

I will keep this thread open just in case it helps anyone out.

Nick Howarth
  • 511
  • 4
  • 21
1

Nice save Nick - yes the id_token can be used for things like "Sign up with Xero" which can be a huge advantage if your business operations is core to financial data.

https://developer.xero.com/documentation/oauth2/sign-up

It essentially enables you to provision accounts in your system (using the decoded ID token name / email) and sync their Xero data in a single flow. We've see partners significantly reduce drop off for new signups because of it.

All that said, a valid access_token and the tenant_id are the things you need to make authorized API calls.

SerKnight
  • 2,502
  • 1
  • 16
  • 18
  • Thank you for the additional information here, I just thought originally it was just the API giving the access_token a different name, which I have seen in the past with other API's. – Nick Howarth Aug 14 '20 at 08:37
-1

I had same problem and I recognized that I had wrong tenant id. You have to be sure about all credentials.

Enver
  • 542
  • 5
  • 7