Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support revoke function #6

Open
judgej opened this issue Sep 3, 2020 · 3 comments
Open

Support revoke function #6

judgej opened this issue Sep 3, 2020 · 3 comments

Comments

@judgej
Copy link

judgej commented Sep 3, 2020

Xero has an endpoint, with basic authorisation, that takes a renewal token and will revoke all granted scopes and connected tenants for the token. This is the only way to revoke all grants at this time (even disconnecting all the tenants leaves the scopes intact, and they all appear when you reconnect tenants).

I was about to write a Xero provider, then found this, so happy to add that function this weekend if you would like to include it. I'll add this provider to the League page too, since there is a gap waiting for it there.
@calcinai
Copy link
Owner

calcinai commented Sep 3, 2020

@judgej That'd be wonderful, thanks!

judgej added a commit to ardohr-ltd/oauth2-xero that referenced this issue Sep 5, 2020
@judgej
Issue calcinai#6 support revoke function
c67acd9 
Documentation yet to be added.
@judgej
Copy link
Author

judgej commented Sep 6, 2020

PR #7 created.

judgej added a commit to ardohr-ltd/oauth2-xero that referenced this issue Sep 6, 2020
@judgej
Issue calcinai#6 documentation for the revoke function
c25ddc6
judgej added a commit to ardohr-ltd/oauth2-xero that referenced this issue Sep 6, 2020
@judgej
Issue calcinai#6 additional properties for resource owner
4a4ed25 
Some additional useful properties and also the ability to access them as camelCase (without changing the underlying property names to avoid a BC break)
@judgej
Copy link
Author

judgej commented Sep 6, 2020
edited
Loading

The additional properties on the resource owner allow me to strip out some JWT parsing from my fork of the https://github.com/XeroAPI/xero-php-oauth2-app app that introduces the revoke function. That may or may not be accepted as a PR, but it's all code I need to be sure works for me anyway. Just tring to get rid of the noise in the demo app so we can see the OAuth flow implemented with maximum features and minimum effort.

Also learning much that is not clearly documented:

The different bewteen xero id and subscriber (sub), is still a mystery to solve. The sub is probably not important, but I'm keeping an eye on it on a hunch.

The iat seems to be the last auth flow time, when the ID token was issued. I'm assuming that doesn't get refreshed with the access token refresh? Correct me if I'm wrong there. The ID token does expire in half an hour, along with the access token, so are we supposed to request a new ID token with the access token refresh? Maybe we do get one and I haven't noticed. The user's details could change in that time - email, given/family names, and it may be important to know that for some offline apps that use those details to send notifications to the Xero user, for example.

The auth_time looks like the time the authorisation was first performed for the app with that resource owner (i.e. xero user). I believe that won't change until the token is revoked and authorisation is starting from scratch, but I need to confirm that. All these additional properties are useful for an audit trail when things go wrong.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@judgej @calcinai