Jump to content
Reginald Jackson

Authorisation Question

By Reginald Jackson, in Feature Requests
 Share

Recommended Posts

Reginald Jackson

Reginald Jackson

Posted
Posted

I have an application which will be used by several customers to link to SageOne. Some of these customers will in turn have more than one business in their SageOne account.

Currently I have a trial business of my own set up, and I've now linked my application to a customer's real company as well - for read only purposes just now.

In testing my application I've come across a problem that occurs when a Refresh Token expires after 31 days (unlikely but certainly possible). My application has code in it to recognise this and trigger the initial authentication again, however when I run it a) I don't get the SageOne login screen and b) I get tokens back that point to the wrong SageOne account (I can see this because I check the id on the Businesses endpoint against one stored in my application).

So I don't understand what's happening here at all?

Kind Regards

Reg

Link to comment
Share on other sites
Reginald Jackson

Reginald Jackson

Posted
  • Author
Posted
13 minutes ago, Reginald Jackson said:

I have an application which will be used by several customers to link to SageOne. Some of these customers will in turn have more than one business in their SageOne account.

Currently I have a trial business of my own set up, and I've now linked my application to a customer's real company as well - for read only purposes just now.

In testing my application I've come across a problem that occurs when a Refresh Token expires after 31 days (unlikely but certainly possible). My application has code in it to recognise this and trigger the initial authentication again, however when I run it a) I don't get the SageOne login screen and b) I get tokens back that point to the wrong SageOne account (I can see this because I check the id on the Businesses endpoint against one stored in my application).

So I don't understand what's happening here at all?

Kind Regards

Reg

So following this up, I logged into my own trial SageOne account and removed my App's connection. When I next ran my App I was prompted to log into SageOne and authorize the connection. I then ran my App pointing to the customer's SageOne account, requiring new tokens, and they came back ok pointed to the correct account. What's really worrying is that when a Refresh Token expires re-authorization will go wrong and effectively my application may stop working for several customers. 

Link to comment
Share on other sites
  • Administrators
Ben Smith

Ben Smith

Posted
  • Administrators
Posted

Hi Reginald,

I see now from this post you are correctly using the X-Business header, so disregard my reply in the other forum. It would be best to try and keep this thread in one place though, so if you can do that going forward that would be great. 

Can you advise further on how you have been simulating the refresh token expiry?  Removing the connected app from inside the Web app UI will revoke the grant on all active tokens.

Ben

Link to comment
Share on other sites
Reginald Jackson

Reginald Jackson

Posted
  • Author
Posted

Hi Ben,

Yes, initially posted to the wrong place, apologies...

So I've just done some more testing. I've currently got two trial subscriptions set up:

1. SolutionJ Limited, set up with email address [email protected]

2. Aardvark Aardvarks Limited, set up with email address [email protected]

So nothing connects these two as far as your platform is concerned.

From a single computer, I have connected to both subscriptions via the same application, which is called TradaBase, storing the resulting Access and Refresh tokens separately for each subscription.

Provided I continue to pass in an Access Token with any subsequent request, the API works fine regardless of which subscription I'm logged into via the browser, i.e. if I log into the SolutionJ subscription but then try to connect from my application to the Aardvark subscription it works - I get a new Aardvark Access and Refresh token pair back.

However, if I am unable to submit an Access Token, as I would be in the event of wanting to set up a new connection to a new subscription (and here I'm not sure what would happen if the Access Token has expired), then the problems start. Basically I can only do this if I first log into the subscription I wish to connect to, otherwise I get back an Access and Refresh Token for the wrong subscription.

Here's specifically what I did. I logged into the SolutionJ subscription. Then I ran my Application to try and connect to the Aardvark subscription, but passing no tokens. My application tried to do the initial grant process, but instead what I got back was an Access / Refresh token pair for the SolutionJ subscription.

So this is not about lead businesses etc as that only applies to individual subscriptions, this is about multiple subscriptions.

It seems that trying to get an initial grant can only work if when doing so the person is also logged into the relevant subscription at the same time, and to me this is a weakness. How would my application know if the person asking for the initial grant was logged into the relevant subscription? They could easily end up pointing at the wrong subscription, with potentially very serious consequences.

There's a further issue here which is related. At the moment I've put a bit of code in to trap these erroneous connections, but it requires comparing the businessid passed back from the API with one stored in my application, however when a new person uses my application to connect to a new subscription my application cannot yet know the businessid as it can only be seen via the api!

Cheers

Reg

 

Link to comment
Share on other sites
  • Administrators
Ben Smith

Ben Smith

Posted
  • Administrators
Posted

Hi Reginald,

Thank you for the very detailed response, this makes sense now. 

As you are currently logged into the SolutionJ business, when you go to connect via your application to the Aardvark business, the cached session is used, authentication is already completed and the tokens returned are for the currently authenticated user logged into that business. 

Have you have found that there are circumstances where a user of your application will also need to be logged into Accounting in a separate business with different credentials? 

I'll investigate the business ids and see if there's anything else I can suggest.

Ben

Link to comment
Share on other sites
Reginald Jackson

Reginald Jackson

Posted
  • Author
Posted

Hi Ben,

I think it's 100% certain that someone somewhere will, if they already haven't, find they are connecting to "the wrong subscription" as a result of this. Developers like me are exposed for example because I will ask every SageOne user that wants to use TradaBase to invite me as a user of their system. To do this I give them a unique email address I set up. Post-brexit I've also found that several businesses are setting up new businesses somewhere in the EU, and although these might sometimes be under the same subscription (is this possible if someone needs a different country version) it's by no means definite. I also have a potential customer who has their own business but is planning to start a new venture with someone else, so they will definitely be wanting separation of subscription for that.

I think this is quite a serious flaw to be honest, but I have some suggestions to help, both in the short term and the longer term:

  • It should be made clear to developers exactly how the authentication process works with regards to cached sessions etc, so that everyone knows that its necessary to be logged into the appropriate subscription in certain circumstances;
  • Developers should be advised to a) store the business id in their database and then b) on every call made to the API verify that the business id the API is pointing to is the same as the one they've stored;
  • I think that the authentication calls should include a mandatory parameter of some sort that specifically identifies an individual subscription, so that the API doesn't need to refer to any cached sessions;
  • It would also be very useful to have an easier way to find out the business id in each case. As far as I can tell the only way to do this is via the API, which of course means you need to connect to it first to find out what it is. Cart before horse.

Kind Regards

Reg

Link to comment
Share on other sites
sylvain BECK

sylvain BECK

Posted
Posted

Hi Reginald,

Like you, I have done my tests successfully on a test account.
I'm now trying to connect my app to a customer's account. I must be stupid, but I can't find any informations on how to do this. Apparently, from the customer's account, an invitation must be sent, but where is this function? is it for adding a user?
I imagine that once I add, I must find this company in the application registry of my developer account?
Could you say how did you do it please?

thank you in advance

Link to comment
Share on other sites
Reginald Jackson

Reginald Jackson

Posted
  • Author
Posted

Hi Sylvain,

Sure, if you go to Settings and then against the Customise sections there's a User Management option. Click that and on the next screen there's an invite button.

Once you've responded to the invite, log into your customer's account and stay logged in while you run your application - when your client authorisation code runs you should be linked correctly and receive back the tokens you need to store.

If you're going to use the business id value in subsequent headers then you need to retrieve it via the api. I found the easiest way to do this was to use Postman, paste in a current Access Token I'd stored and then use the businesses endpoint.

Hope this helps, please feel free to get back in touch, and good luck!

Cheers

Reg

Link to comment
Share on other sites
sylvain BECK

sylvain BECK

Posted
Posted

Hi Reg,

thanks for your response... But seriously I can't believe this is protocol.

So, OK, it works ... but, it's because you are still logged in and the coockies are not deleted ...

For my problem, it was because my test account is in French, and my cutomer in Ireland ... and apparently, at the request of the token, the choice of language is important to identify the company.

 

Link to comment
Share on other sites
Reginald Jackson

Reginald Jackson

Posted
  • Author
Posted

Hi,

I haven't explored the language aspects yet, so that sounds fun! Yes, I think the cookies aspect is a big weakness. It only applies to the initial authorisation request, i.e. the granting of the first, temporary token, but nevertheless.

For my own safety I've put in a bit of code so that if there's ever a mismatch between the business id I store and the one that's returned on an API call I issue an error and abort...

Cheers

Reg

Link to comment
Share on other sites
  • Administrators
Ben Smith

Ben Smith

Posted
  • Administrators
Posted

Glad you've got this working ok Sylvain 🙂

Yes as a rule the first time someone with the available permissions to authenticates with an app they will be asked to authorize that the application can access the business, once that is allowed the connection is present in the apps section of the UI settings.

 

Ben

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...