1

We're experiencing an issue with an integration customer who has not been able to sync using the oauth2 system for two of their three tenants. One of them is syncing correctly and without issue, but the other two return the following:

[403] Client error: GET https://api.xero.com/api.xro/2.0/Accounts resulted in a 403 Forbidden response:
{"Type":null,"Title":"Forbidden","Status":403,"Detail":"AuthenticationUnsuccessful" (truncated...)

Initially we assumed it was a straightforward auth issue, however their access tokens are able to be refreshed without error. All three tenants have the same scope settings:

"scope": [
    "email",
    "profile",
    "openid",
    "accounting.settings",
    "accounting.transactions",
    "accounting.contacts",
    "offline_access"
  ]

And I can confirm that their tenant id is being passed to the SDK method (getAccounts, in this case) properly. Disconnecting and reconnecting did not help.

This seems to be a fairly common issue but none of the solutions I've found for it apply in our case. That I've been able to tell, at any rate.

C Arnoldus
  • 21
  • 3
  • Well, those scopes are the same as mine, so it shouldn't be anything to do with them. Are you absolutely 100% certain that the Tenant ID is correct? I recently had all sorts of trouble connecting to my new trial account because my VB code was trying to use the old Tenant from the previous trial. I had no problem refreshing the tokens, it just fell over when I actually tried to access any other endpoint. – droopsnoot Apr 30 '21 at 17:24
  • @droopsnoot The tenant ids were correct, but your confirmation that you managed to see the same thing (success with oauth while failure to connect to a tenant) got us looking in a different direction that ended with a solution. I've outlined what we did in the answer. Thanks for your input! – C Arnoldus May 06 '21 at 21:57
  • Glad it helped, even if it was just incidental. – droopsnoot May 07 '21 at 07:56

1 Answers1

1

So we managed to resolve this. As it turns out, the user had disabled our integration from their side (Xero provides the option of revoking authorization from within Xero), giving them the appearance of still being connected to us but no longer having authorization to use the two tenants.

Something to note (which caused some confusion) is that the access/refresh token authentication with OAuth is separate from the tenant-by-tenant authorization for Xero, which is what allowed us to keep refreshing access without being able to use that access.

C Arnoldus
  • 21
  • 3