March 20, 2018 | Anil Kumar

Implement OAuth 2.0 / OpenID Connect using a sample application in Node.JS & PHP in just a few minutes

This article demonstrates how to implement the OAuth 2.0 and OpenID Connect workflows in just a few minutes. Yes, that’s right, you can master the authorization workflows in just under 15 minutes. It provides you with a clear understanding of:

  • Implementing OAuth 2.0 in your app
  • Making API calls using the tokens in OpenID and OAuth 2.0 authorization workflows
  • How to refresh the access token
  • The difference between OpenID Connect and OAuth 2.0 authorization workflows

For starters, refer to our earlier posted blog introducing the release of OAuth 2.0 and OpenID Connect: https://developer.intuit.com/hub/blog/2017/07/17/oauth-2-0openid-connect-now-available-new-developers

Note: This blog showcases the OAuth 2.0 and OpenID Connect authorization flows in JavaScript and PHP languages, only.

Implement OAuth 2.0 in your app

To get started, perform the following steps:

1. Clone the demo. Refer to the instructions in README.md included in the corresponding demo:

2. Create an app, if you not have already created one, by logging into developer.intuit.com.

3. Get the Client ID and Client Secret keys from your app’s Keys tab.

4.  Enter this redirect URI in your app’s Keys tab: http://localhost:3000/callback

5.  Add your keys to the demo app’s configuration file:

Note: If you are implementing TLS/SSL support in your app, you need to expose it over the internet. Refer to the appropriate README.md for more information:

  • JavaScript: https://github.com/IntuitDeveloper/OAuth2.0-demo-nodejs#tls–ssl-optional
  • PHP: https://github.com/IntuitDeveloper/OAuth2.0-demo-php#tls–ssl-optional

Now, refer to the links below to start the demo app:

What’s happening in the demo code

Overall, just two HTTP requests are necessary:

  • The first requests an authorization code.
  • The second exchanges the authorization code for an access token.

On a high level, here is what’s happening:

1. Based on the redirect URI in your app’s Keys tab on https://developer.intuit.com/, the authorization URL is created (this is supported in the demo code).

2. Request #1 launches a browser window to open the authorization URL.

3. This URL redirects back to the pre-configured redirect URI (callback). Code at this location extracts the code and

4. Request #2 exchanges the code for an access_token.

5. The browser window closes.

JavaScript

  • Request an authorization code:

  • Exchange the authorization code for an access token:

  • We launch the AuthURL in a window as shown above. Upon redirect, the callback receives the authorization_code and realmId which is exchanged for accessToken (code in /callback route).

Make an API call using the generated tokens

Now, make an API call using the tokens generated from the previous section.

JavaScript

We use the [node-quickbooks] (link) to make the API call, as follows:

PHP

We use the [QuickBooks-V3-PHP-SDK] (link) to make the API call, as follows:

Access token lifetime and how to refresh the access token

Access tokens are valid for 3600 seconds (one hour), after which time you need to get a fresh token using the latest refresh_token returned to you from the previous request.

To learn more about refreshing the access token, see the following documentation page: https://developer.intuit.com/docs/00_quickbooks_online/2_build/00_build#/Refreshing_the_access_token

Here’s how we do it in the sample code:

JavaScript

  • Create a QuickBooks object and pass the parameters (clientID, clientSecret, access_token, refresh_token, realmID, and so on).
  • Call the refreshAccessToken() method of the qbo object.

PHP

  • Create the DataService object by passing the parameters (clientID, clientSecret, redirectUri, scope, and baseUrl is ).
  • Invoke the getOAuth2LoginHelper() method from the DataService object created above.
  • Call the refreshToken() method of the OAuth2LoginHelper object.

The difference between OpenID Connect and OAuth 2.0

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end user in an interoperable and REST-like manner.

 

This demo app showcases both OAuth 2.0 and OpenID Connect authorization workflows.

OAuth 2.0

  • Scope: space-delimited set of permissions that the application requests
    • com.intuit.quickbooks.accounting — QuickBooks Online API
    • com.intuit.quickbooks.payment — QuickBooks Payments API

OAuth 2.0 authorization flow:

OpenID Connect

  • Scope: space-delimited set of permissions that the application requests
    • openid—QuickBooks Online API
    • profile—QuickBooks Payments API
    • email—user’s email address
    • phone—user’s phone number
    • address—user’s physical address

Additionally, when enabling Intuit single sign-on from the QuickBooks app store, specify one or both of these scopes to authorize your app’s access to your user’s QuickBooks company:

  • com.intuit.quickbooks.accounting—QuickBooks Online API
  • com.intuit.quickbooks.payment—QuickBooks Payments API

OpenID Connect authorization flow:

  • For OpenID Connect documentation, click here.

Learn more

  • For more details on OAuth 2.0, such as generating a new access token using a refresh token, refer here.
  • To call the APIs programmatically, leverage the official SDKs which take care of authentication, data serialization, and several other aspects of QuickBooks Online REST API calls.
  • Links to sample programs that use the official SDKs for some basic use cases are found here.

If you have any questions regarding this, please reach out to us online in our community or open a support case: https://help.developer.intuit.com/s/

Comments

View all
Load more comments