December 20, 2018 | Lisa Tesler

OAuth 1.0 Deprecation – Migrate to OAuth 2.0 by December 17, 2019

NOTE: Blog updated to reflect new tools available, and to clarify OpenID Connect requirement.

What is happening?

On December 17th, 2019, Intuit will discontinue all support for OAuth 1.0 and OpenID 2.0. After December 17th, 2019, applications will no longer be allowed to make API calls using OAuth 1.0 and OpenID 2.0.

Why is this happening?

We are making this change to keep our QuickBooks Online and QuickBooks Payments customers aligned with industry standards.

What tools are available?

Our OAuth migration libraries and Migration documentation are available to all developers. Plus, all developers that joined before July 2017 can now see tabs for both OAuth 1.0 and OAuth 2.0 keys in their developer accounts.

If your app was created using OAuth 2.0 keys, you will only see OAuth 2 settings, and you will not see the Migration tab in the OAuth 2.0 Playground.

How do I know which type of OAuth I’m using?

See the Authentication and Authorization docs for detailed information about how to determine which version of OAuth and OpenID your apps currently use.

What should I do and when?

If you are affected by this change, please update your application code and your app settings in your developer account:

  • If your app is still under development and you have no connections in Production yet, change your code now to support OAuth 2.0. (It’s easier to implement than OAuth 1.0.)
  • If your app is live and already has connections in Production, start planning your migration to OAuth 2.0 as soon as possible (well before the December 17, 2019 deadline). We recommend that you review the Migration documentation and the migration sections of the OAuth FAQ now, to determine the resources and time you’ll need.
  • If your app supports OpenID 2.0, be sure to also migrate to OpenID Connect.

What happens to my existing OAuth 1.0 tokens? Can I continue to use them?

Your OAuth 1.0 tokens continue to remain valid until December 17, 2019 or earlier based on your token expiration duration. You can continue to maintain OAuth 1.0 connections while you work on implementing OAuth 2.0 in your app. Additionally, you can use the Migration API to send us your OAuth 1.0 tokens and get corresponding OAuth 2.0 tokens programmatically. At that point, those OAuth 1.0 tokens will continue to work for 30 days, after which they will be invalidated.

Has this requirement been announced before?

About 18 months ago, we announced support for OAuth 2.0. At that time, all new apps started using OAuth 2.0 for authorization, and (optionally) OpenID Connect for single sign-on authentication.

We updated the developer portal with information about our long-term plan to deprecate OAuth 1.0. We also started working on a migration plan to help existing developers move from OAuth 1.0 to OAuth 2.0. We launched an OAuth 1.0 to 2.0 migration open beta program to give you an opportunity to use and give us input on our migration tools and processes.

Over the past year, we have provided several OAuth 2.0 libraries, and included modules to migrate OAuth1.0 tokens to OAuth2.0. Most recently, we released libraries in Python and Node.js.

The beta program has been completed, and our migration tools and plan are now in place. We’re asking all developers to move off of OAuth 1.0 by December 17, 2019.

Will there be more deprecations and migrations in the future?

Yes. In September 2018, we deprecated TLS 1.0 and 1.1, and we have deprecated other capabilities over the years. As participants in a technology ecosystem, it’s a good idea to plan ahead so that your integration can evolve alongside Intuit, as we stay aligned with industry practices and consumer expectations.

Here are a few best practices that can help:

  • Follow our blog for early views of upcoming changes to QuickBooks APIs, so that you have plenty of time to prepare for important changes.
  • Verify that the email address in your developer account goes to a monitored inbox, so that you receive important notices in a timely manner.
  • If you outsource your integration to a 3rd-party vendor or contractor, plan your long-term budget to include support for QuickBooks API changes–especially changes related to security, privacy, and adherence to broad industry standards.

I have questions!

Have questions or feedback? Please feel free to comment below or in our developer forums.

 

 

 

Comments

View all
Load more comments