I’m currently working on an interface between an Application built using MS Access and the Xero Accounting application using Xero’s API. It’s a seriously large application not some dinky little Access app.
Xero are moving to oAuth 2.0 authentification. The deprecation of oAuth 1.0, which used Open-SSL for authentification, has presented some challenges.
With 2.0 authentification is centered on a user logging in using their credentials then the application taking the returned response to request an access token. That token only inherits that user’s authority. So if the user does not have adequate permissions then neither will the application.
The first problem is that if your application automates the data exchange with Xero, rather than being manually initiated by a user, then this approach doesn’t work so well.
The second problem is scope. If the user who logs in does not have the authority to enter invoices into Xero then neither will your application. Imagine the use case where a user can enter invoices into your application but we don’t want to grant them authority to enter invoices directly into Xero. Sorry, not possible.
So along came xoAuth which allows us to setup a connection authority, and specify the scope of the connection then have that connection ratified by someone with adequate authority just once.
We then store those credentials in the application and the application can then use those credentials to do what it needs to do.
Each time the application intiates a call to the Xero API, it first uses a refresh token to get an access token. These tokens are used in combination with the Client ID and Client Secret (really long random password) you setup with Xero to check it’s authenticity.
So now your application can happily connect with Xero’s API anytime it needs to without user intervention.