OAuth 2.0 and OIDC: General Information
OAuth 2.0 and OpenID Connect (OIDC) are used in scenarios where secure authentication and authorization are required. The implementation of these mechanisms includes multiple steps that you need to do in the client application and in MYOB Acumatica.
Learning Objectives
In this chapter, you will learn the following:
- Which steps you need to perform to implement OAuth 2.0 or OIDC
- What the differences between the flows are
- How to work with data in MYOB Acumatica after successful authorization
- How to refresh access to MYOB Acumatica after access has expired
Applicable Scenarios
- You need to provide secure access to MYOB Acumatica through the REST API, SOAP API, or OData without sharing user credentials.
- You need to implement single sign-on solutions where users can sign in once and access multiple applications without having to sign in separately to each one.
- Only for OIDC: In the client application, you need to verify the identity of users and obtain basic profile information from MYOB Acumatica.
Authorization Implementation
To use OAuth 2.0 or OIDC, you need to perform the following general steps:
- You register the client application in MYOB Acumatica.
- You implement the authorization flow in the client application.
- Optional: You implement the refreshing of the application access in the client application.
- You include the information about the connected application in the customization project.
Registration of the Application
Before an OAuth 2.0 or OIDC client application can work with MYOB Acumatica, you must register this application in MYOB Acumatica. For details about registration, see Registration of an OAuth 2.0 or OIDC Application: General Information.
Implementation of the Authorization Flow in the Client Application
An authorization flow is a sequence of steps that the client application and MYOB Acumatica follow during the authorization process. The client application that implements OAuth 2.0 or OIDC can use one of the authorization flows supported by MYOB Acumatica, which are the following:
- Authorization Code (OAuth 2.0 and OIDC), which is described further in Authorization Code Flow: General Information
- Implicit (OAuth 2.0 and OIDC); for more information, see Implicit Flow: General Information
- Resource Owner Password Credentials (OAuth 2.0), as described in Resource Owner Password Credentials Flow: General Information
- Hybrid (OIDC), which is explored more fully in Hybrid Flow: General Information
Each authorization flow has its own use cases and security considerations, as you can see in OAuth 2.0 and OIDC: Comparison of the Flows. The choice of the flow depends on multiple factors, such as the type of client application, the level of trust between the client and the authorization server, and the security requirements of the application.
Refreshing of the Application Access
The access token, which the client application obtains from MYOB Acumatica during authorization of the application, is valid for a specific period of time, which is specified in the response that returns the access token. When the access token expires, the client application can request a new access token by providing the refresh token to the token endpoint. For details about refreshing the application access, see OAuth 2.0 and OIDC: Refreshing of an Access Token.
Inclusion of a Connected Application in a Customization Project
If you need to use a client application that implements the OAuth 2.0 or OpenID Connect authorization mechanism with other MYOB Acumatica instances, you need to include the information about this client application in a customization project and publish this customization project to these instances. To include the information about the registered client application in a customization project, you use the Connected Applications page of the Customization Project Editor.
Revocation of the Application Access
- Connected Applications (SM303010): On this form, you can revoke the access of any application registered in the current company. You revoke all access granted to the application.
- User Profile (SM203010): On this form, you can revoke the access of any application to which you (that is, the user account to which you are signed in) have granted access. Any access granted to this application by other users remains unchanged.
After you have revoked access, the related access tokens are removed from the MYOB Acumatica database, and these tokens cannot be used to access data in MYOB Acumatica. However, the client secrets remain valid until their expiration dates (if applicable), and the application can use these secrets to request a new access token.