Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[OAuth 2.0] OpenID Connect supported? #433

Open
john-goldsmith opened this issue Jul 6, 2018 · 3 comments
Open

[OAuth 2.0] OpenID Connect supported? #433

john-goldsmith opened this issue Jul 6, 2018 · 3 comments

Comments

@john-goldsmith
Copy link

john-goldsmith commented Jul 6, 2018
edited
Loading

Hi,

I'm working off the 389-oauth2 branch (which works great btw, thanks!) and was curious if this gem also supports Intuit's OpenID Connect implementation (scope: "openid")? The following snippet works for me, but I wasn't sure if it was already baked in somewhere, or perhaps another gem that provides something similar. Thanks!

class QuickbooksController < ApiController

  def oauth_callback
    if params[:state]
      @response = ::QB_OAUTH2_CONSUMER.auth_code.get_token(params[:code], redirect_uri: quickbooks_oauth_callback_url)
      if @response
        uri = URI("https://sandbox-accounts.platform.intuit.com/v1/openid_connect/userinfo")
        res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
          req = Net::HTTP::Get.new uri
          req['Authorization'] = "Bearer #{@response.token}"
          req['Accept'] = 'application/json'
          http.request(req)
        end
        body = HashWithIndifferentAccess.new(JSON::parse(res.body))
        # => {sub: "...", givenName: "...", familyName: "...", email: "...", emailVerified: "..."}
      end
    end
  end

end
References
  1. OAuth 2.0 Playground
  2. OpenID Connect documentation
@john-goldsmith john-goldsmith changed the title OpenID Connect supported? [OAuth 2.0] OpenID Connect supported? Jul 6, 2018
@ruckus
Copy link
Owner

ruckus commented Jul 9, 2018

Hi @john-goldsmith thanks for the info. This gem doesn't have an authentication setup logic, we recommend users handle it on a per-app basis as needed, ala the docs:

https://github.com/ruckus/quickbooks-ruby/tree/389-oauth2#getting-started--initiating-authentication-flow-with-intuit

So in theory, yes, you can specify your own scope: "openid" and be good to go (?)

From what you're saying you can pass the same access token / secret to the gem and it works? If so thats good to know and it sounds like its a documentation issue that we should mention.

Or perhaps I am misunderstanding what you're saying. Thanks again.

@john-goldsmith
Copy link
Author

john-goldsmith commented Jul 9, 2018
edited
Loading

According to the docs, scope: "openid" is a scope provided by Intuit that, from my understanding, simply tacks on an additional JWT to the OAuth response (id_token property). The JWT contains a QuickBooks GUID and realm/company ID which can then be used in my custom application to marry my user data to QuickBooks user data. Example response:

{
  "sub": "1182d6ec-2a1f-4aa3-af3f-bb3b95db45af", // QuickBooks GUID
  "aud": [
    "L3Y7SV6rRxVvArdYzlRxjPXo0b6ItrX4qFhopPXQ6aaEWgKyCa"
  ],
  "realmid": "123145880168382", // aka, company ID
  "auth_time": 1464330769,
  "iss": "https://oauth.platform.intuit.com/op/v1",
  "exp": 1464335838,
  "iat": 1464332238
}

Using the OAuth token (not the JWT), additional user data can be obtained by making a GET request to https://accounts.platform.intuit.com/v1/openid_connect/userinfo that includes a header with the OAuth token. Example response:

{
    "sub": "1182d6ec-2a1f-4aa3-af3f-bb3b95db45af", // QuickBooks GUID
    "email": "[email protected]",
    "emailVerified": true,
    "givenName": "John",
    "familyName": "Doe",
    "phoneNumber": "+1 6305555555",
    "phoneNumberVerified": false,
    "address": { // other useful profile info
        "streetAddress": "2007 saint julien ct",
        "locality": "mountain view",
        "region": "CA",
        "postalCode": "94043",
        "country": "US"
    }
}

So, back to my original question, since your gem manages the OAuth token which is needed for the additional profile data, it seems like wrapping the OpenID functionality could also be in scope. Then again, there are a bazillion OpenID gems so maybe they already provide this functionality...? Off the cuff:

user_info = Quickbooks::Identity::OpenIDConnect.get_user_info(access_token, opts)
user_info.email # => [email protected]

FWIW and to be perfectly honest, I'm not exactly sure if OAuth and OpenID are competing or complimentary concepts, so it's possible I'm doing duplicate effort. 😅

@joshk6
Copy link

joshk6 commented Jan 1, 2019

Thank you John Goldsmith! Just a upvote here to ask that you please incorporate the setup stuff into the gem. I was able to get started pretty quickly using minimul's QboApi, but it also lacks facility for signon with intuit (which appears pretty important if you actually want people to use your app), revoking credentials (required by Intuit to publish) or getting email addresses of the user, which is pretty much essential if you use intuit single signon. I think newbies will spend hours trying to figure out oauth and then when you want to get set up to connect to their app store you have a whole new bunch of problems, and the documentation is missing or confusing if you are rails developer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ruckus @john-goldsmith @joshk6