OAuth 2.0 and OIDC: General Information

OAuth 2.0 and OpenID Connect (OIDC) are used in scenarios where secure authentication and authorization are required. The implementation of these mechanisms includes multiple steps that you need to do in the client application and in MYOB Acumatica.

Learning Objectives

In this chapter, you will learn the following:

Which steps you need to perform to implement OAuth 2.0 or OIDC
What the differences between the flows are
How to work with data in MYOB Acumatica after successful authorization
How to refresh access to MYOB Acumatica after access has expired

Applicable Scenarios

You implement OAuth 2.0 or OIDC authorization of a client application in the following scenarios:

You need to provide secure access to MYOB Acumatica through the REST API, SOAP API, or OData without sharing user credentials.
You need to implement single sign-on solutions where users can sign in once and access multiple applications without having to sign in separately to each one.
Only for OIDC: In the client application, you need to verify the identity of users and obtain basic profile information from MYOB Acumatica.

Authorization Implementation

To use OAuth 2.0 or OIDC, you need to perform the following general steps:

You register the client application in MYOB Acumatica.
You implement the authorization flow in the client application.
Optional: You implement the refreshing of the application access in the client application.
You include the information about the connected application in the customization project.

Registration of the Application

Before an OAuth 2.0 or OIDC client application can work with MYOB Acumatica, you must register this application in MYOB Acumatica. For details about registration, see Registration of an OAuth 2.0 or OIDC Application: General Information.

Implementation of the Authorization Flow in the Client Application

An authorization flow is a sequence of steps that the client application and MYOB Acumatica follow during the authorization process. The client application that implements OAuth 2.0 or OIDC can use one of the authorization flows supported by MYOB Acumatica, which are the following:

Authorization Code (OAuth 2.0 and OIDC), which is described further in Authorization Code Flow: General Information
Implicit (OAuth 2.0 and OIDC); for more information, see Implicit Flow: General Information
Resource Owner Password Credentials (OAuth 2.0), as described in Resource Owner Password Credentials Flow: General Information
Hybrid (OIDC), which is explored more fully in Hybrid Flow: General Information

Each authorization flow has its own use cases and security considerations, as you can see in OAuth 2.0 and OIDC: Comparison of the Flows. The choice of the flow depends on multiple factors, such as the type of client application, the level of trust between the client and the authorization server, and the security requirements of the application.

Refreshing of the Application Access

The access token, which the client application obtains from MYOB Acumatica during authorization of the application, is valid for a specific period of time, which is specified in the response that returns the access token. When the access token expires, the client application can request a new access token by providing the refresh token to the token endpoint. For details about refreshing the application access, see OAuth 2.0 and OIDC: Refreshing of an Access Token.

Inclusion of a Connected Application in a Customization Project

If you need to use a client application that implements the OAuth 2.0 or OpenID Connect authorization mechanism with other MYOB Acumatica instances, you need to include the information about this client application in a customization project and publish this customization project to these instances. To include the information about the registered client application in a customization project, you use the Connected Applications page of the Customization Project Editor.

Revocation of the Application Access

To revoke the access of an OAuth 2.0 or OpenID Connect client application, you can use either of the following MYOB Acumatica forms:

Connected Applications (SM303010): On this form, you can revoke the access of any application registered in the current company. You revoke all access granted to the application.
User Profile (SM203010): On this form, you can revoke the access of any application to which you (that is, the user account to which you are signed in) have granted access. Any access granted to this application by other users remains unchanged.

After you have revoked access, the related access tokens are removed from the MYOB Acumatica database, and these tokens cannot be used to access data in MYOB Acumatica. However, the client secrets remain valid until their expiration dates (if applicable), and the application can use these secrets to request a new access token.