Cybersecurity is one of the most important features of technology today. Following best practices is required to protect your clients’ information. Xero Accounting Software is gradually transitioning from Oauth 1.0a to OAuth 2.0 with partner apps being required to add 2.0 by December 2020, and discontinuing support for 1.0a in March 2021. To make sure you don’t miss the deadline we figured, we’d cover our implementation for one of our clients and highlight 3 key lessons from the upgrade. 

Before I get to the three lessons learned, I’d like to give you a brief introduction to Xero and OAuth.

What is Xero?

Xero is cloud based accounting software that makes it easier to track your businesses financial performance in real time, while simplifying tax compliance activities. It includes tools for taxes, invoices, accounting, payroll, inventory, and more.

What Changed in OAuth 2.0?

In OAuth 2.0, a single API can be used to access all the organisation’s data. The original access token is temporary for 30 minutes, then once authorised provides a 30 day access token and the ability for refresh tokens every 30 days. This improves efficiency and security by not requiring authorisation with the user credentials.

The picture below shows a screen letting you know which of your applications are upgraded and which ones are not. The 30 minute access tokens are not upgraded because this functionality was altered in OAuth 2.0, making it where those are no longer required.

How do I upgrade to OAuth2.0?

I won’t be going into specifics on how to upgrade as Xero has a great document, which you can read below, that outlines the process of upgrading from OAuth1a  to OAuth 2.

https://developer.xero.com/documentation/oauth2/auth-flow

The  three main lessons learned during this project:

  1. Refresh tokens make it easier to keep authorisation without doing it manually.
  2. Watch out for flaws in the coding.
  3. Customer Flow and Software Flow may change.

Refresh Tokens Make it easier to keep Authorisation without manually authorising

One of the biggest changes between OAuth1.0a and 2.0 is the use of refresh tokens to maintain authorisation. This requires including the scope offline_access when requesting authorisation of your API. This makes it where when the Access Token is about to expire the API will POST to the token endpoint. This will provide a new refresh token which the API needs to save for the next time the access token is about to expire. If you also include the scope openid profile email the user will be able to use a sign in with Xero button in other apps you’ll be using.

Watch out for Flaws in Coding Provided by Xero

During our project, we discovered mismatches in several of the new  .cs files compared to the old files previously used by Xero. One of our developers had to correct it until the official fix is provided by Xero . We took the extra step of sending a PULL request and reported the issue to Xero’s development team to make sure they were aware. An official fix will be coming in the next update.

Customer Flow and Software Flow May Change after Updating

In our situation our client had set up their software to work with the fairly loose coupling that OAuth1 had. What I mean by that is, OAuth 1 was more of a 1 to 1 connection at one point in time that needed to be refreshed and didn’t maintain a connection. OAuth 2 is more encompassing in that it establishes a longer term connection.

In our clients application they were mapping clients on a one to one basis to their Xero files, but what happens in the new OAuth2, is that once a connection is established to a Xero file, that connection will hold until its disconnected (and the token deleted). This caused issues when they went to link a second client but couldn’t select from an already connected account.

This meant we had to set up a central page that all Xero connections go through, and then once the Xero connection was made to our clients application, they then went to the clients and had a drop down of already connected Xero accounts. Rather than actually connecting at the client level. This is a far cleaner approach and allows an overview of all Xero connections on the page.

Those are the 3 lessons we learned from our Xero OAuth 2.0 upgrade. Upgrading Xero to OAuth2.0 is required by March 2021. To schedule your OAuth upgrade, go to our promotion page.