Jump to content

Recommended Posts

Good Afternoon,

I'm trying to test an app that will need to connect to several different customer accounts (with some customers in turn having multiple businesses within one account).

I did have it working fine, but I wanted to test what would happen in the event of a Refresh Token expiring after 31 days.

I currently have two customer accounts set up, let's call them A and B. Both have only one business in them. I manually set the expiry date of the Refresh Token for A back over 31 days to simulate expiration. From that point on whenever my app calls either A or B only A can be connected to.

To try and fix this I logged into A and removed access to my app completely. Then in my app I tried to connect to A, and correctly got the screen asking me to authorize access, which I duly did. However, when I then tried to connect to B it still connects me to A!  The only way to solve this seems to be to log into B and, while logged in, try to connect from my app.

Ok, I guess manually expiring the token wasn't a good idea, but how can I test what happens if a Refresh Token genuinely expires? It all seems a bit flakey tbh.

Link to post
Share on other sites

I want to add more information to this post. I've just set up a second trial subscription to SageOne to test my connection concerns.

So I have two subscriptions to SageOne using different email addresses. My application is already connected to subscription A. It appears to me that in order to connect correctly to subscription B, I must at the time be logged into subscription B, otherwise the authorization endpoint will instead incorrectly connect me to subscription A.

Furthermore, in the situation where I am already connected to subscriptions A and B, if I log into subscription B and revoke my app's access and then log out again (i.e. my application doesn't know the access has been revoked and has 'valid' tokens stored as required), then when my app tries to connect to subscription B using these tokens it is instead returned a connection to subscription A rather than being told to reauthorize! The only way to overcome this seems to be to log into subscription B and then try to connect to subscription B from the application again.

Something seems wrong here. If a user revokes access to my app but then tries to use my app to connect they should not be offered a connection to some other subscription surely?

Link to post
Share on other sites
  • Administrators

Hi Reginald,

Authentication with Accounting is a little different to how others do it. 

When you authenticate, you are authenticating as a specific user, and will subsequently be granted a token that is valid for use in all businesses that user has been granted access to. It is therefore vital that you are using the /businesses endpoint to obtain the id of the business you are interested in, and pass that as a value with the X-Business header. That header routes any requests to that specific business. 

Depending on the email address used in your scenarios if its the email address that created the business, that business is its 'lead business' and is, in the absence of any X-Business header, the one it will default to. So if you use a secondary email that has been invited to this business, if that second address also created another business, it will always default to its 'lead business' (without an X-Business header) which may well be not what you are expecting. 

What I'd ask is that if you can test this again ensuring you pass the appropriate business id with the X-Business header when accessing the different accounts and see how you find it? 

I'd also recommend having a look at our Best Practices | Sage Developer guide, which covers the use of multi business.

 

I hope that helps,

Ben

Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...