I'm working on a custom workflow automation for my company that includes creating expenses and invoices on Quickbooks Online. Is there anyway to avoid the oauth procedure since this is an integration only my company is gonna use?
Is there anyway to avoid the oauth procedure
No. Intuit uses OAuth for authentication, and that's it.
Related
I'm trying to get an OAuth2 token from Quickbooks. https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/oauth-2.0
I've had a good read for an hour but feel no closer to figuring out how to get a token from the OAuth2 service. Does anyone have clear instruction on how to auth (and handle token refresh) in logic apps using OAuth2?
In the previous Legacy version of Logic Apps there used to be Quickbooks inbuilt Connector but now one of the ways that I found is using Custom Connector.
You can refer to this tutorial if you have not added Quickbooks Custom Connector.
Note : Make sure that the logic app and the custom connector are in the same region
And now for requesting for retrieving and refreshing access tokens we need to save the APIs in the same collection that we have created and upload it to the custom connector.
Another workaround is to get the access tokens locally in Visual Studio by publishing the same code to azure functions and then add the same azure function connector to our logic apps flow.
REFERENCES:
Retrieve an Access Token - Box Developer Documentation
c# - Is there a simple way to access the Quickbooks API using OAuth2? - Stack Overflow
IvAlex1986/QuickBooks.Net: QuickBooks API wrapper for .NET (github.com)
I'm trying to implement security to a backoffice CLI tool (NodeJS) that calls a REST api (Java/JAX-RS) for performing database operations etc.
As we're using Azure AD for all our user accounts I'd like to use it for authenticating our users and also for authorization.
The authorization is needed since not all members of the AD is supposed to use the CLI, and there are two types of users of the CLI with a different set of available commands, meaning that even if you are able to use it, some features might be locked out depending if you are an operator or administrator.
I've managed to create two applications in Azure AD, one for the CLI and one for the API. I can login using our AD credentials, fetch Access tokens for the CLI app id requesting the REST API resouce. On the client side I'm using https://www.npmjs.com/package/simple-oauth2 .
On the Java side the tokens are validated against Microsoft public keys, so everything seems to work out fine.
But, how should I lock down the users to either operator or admin roles? One naive way I can think of is to have the user/role correlation in the REST API and only use the OAuth flow for authenticating the user. But I guess that's what the AD is there for... Could OAuth scopes help me in this case?
Or should the REST API call the AD to query for users group memberships, once it receives the access tokens and knows the end user identity?
Thanks in advance!
Use the Application Roles.
Here you will find good description what application roles are and how to handle them:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
The recommended resources at the end and also very helpful and will guide you through the process.
Also, when developing CLI it is recommended to use the Device Flow - described here with sample code (.net core) here.
The blog post: Announcing Exchange ActiveSync v16.1 states that:
While not a part of EAS 16.1, we also want to note that both Office 365 and Outlook.com customers can now utilize the OAuth 2.0 protocol for authorization through EAS.
My question is: which scope should I use in the oauth request?
Is there an example, perhaps of the full request?
Note: there was a similar question about using OAuth for Office365 with IMAP, but here I'm specifically asking about ActiveSync. I referenced this question in a comment to one of the answers on that thread.
Secondary problem:
Thanks to Jason's answer and some additional tweaks, we managed to generate oauth token using https://login.windows.net/common/oauth2 but only for office365 users (Organization Accounts) and not to Microsoft users account (live, hotmail, outlook.com...)
The token allows access to both ActiveSync protocol (via https://eas.outlook.com/Microsoft-Server-ActiveSync) and for EWS API (via https://outlook.office365.com/EWS/Exchange.asmx).
Unfortunately we cannot find a way to generate same token for Microsoft online accounts (hotmail, live, outlook.com). We tried using this endpoint: https://login.live.com/oauth20_authorize.srf which allow only activesync and not EWS.
Is there a way to use the same token for both organization and online accounts on both protocols (ActiveSync and EWS)?
Sorry this took so long, but I wasn't aware of this question until today :). You need to register your app as a native application in Azure Active Directory:
Then add the Access mailboxes as the signed-in user via Exchange Web Services (under Office 365 Exchange Online) delegated permission.
NOTE: You cannot register this in the Application Registration Portal (https://apps.dev.microsoft.com), it needs to be registered in the Azure Portal (https://portal.azure.com/), and you need to use the v1 Azure auth endpoints for authorization and token requests.
I am trying to integrate quickbooks online v3 with c#.
In earlier version I could connect with appid and token.
Current version I would like to bypass the login and use API. Token is generated after logging in to qbsite.
No, this isn't possible (for what should be very, very obvious security reasons - why would anyone want to allow any person access to all of their companies financial data without any sort of login/authentication mechanism what-so-ever?).
The new v3 APIs use OAuth for authentication. The end-user is required to log in once to generate the OAuth tokens and authorize your app to access QuickBooks data.
After that authorization, you can use those tokens to access QuickBooks data any time you want.
This pretty much exactly mirrors the old qbXML connection ticket method that was previously available.
Does Directory API support authentication with OAUth2 Service Accounts flow?
I tested the serviceAccount.php google-php-api-client example using the scopes https://www.googleapis.com/auth/admin.directory.group and https://www.googleapis.com/auth/admin.directory.user and it didn't work.
You need to authorize the service account client ID to access the given API scopes in the Google Apps Control Panel. See the step as described in the Drive API docs, just sub in your Admin SDK scopes.
Note that IMHO, there's very little advantage to using a Service Account with Directory/Reporting APIs as you still need to impersonate a user who has super admin (or proper delegated admin) roles in order to perform and API calls. To me it makes just as much sense to just get a 3-legged OAuth 2.0 refresh token which supports offline from the admin. 3-legged can be done entirely programmatically where-as Service Accounts require the manual step above.
Short answer: Yes. #emilylam question comments hint the error.