Xero oAuth1.0a Private App

Hi Manuel,

Facing issues with Xero oAuth 1.0a, Xero allows 2 types of application, Private and Public.

The OAuth Class library works fine with Public app but gives an error with Private app.

Error: it was not possible to access the OAuth request token: it was returned an unexpected response status 401 Response: auth_problem=consumer_key_rejected&oauth_problem_advice=Private applications cannot request a Request Token

I used the login_with_xero.php it works with the public app, but when using the private app it doesn't, I tried to give the http_arguments

$client->http_arguments = array(
'PreferCurl' => true,
'SSLCertificateFile' => 'C:\Program Files\OpenSSL-Win64\bin\publickey.cer',
'SSLKeyFile' => 'C:\Program Files\OpenSSL-Win64\bin\privatekey.pem',
);

Even tried to set the "dialog_url" to 'automatic' and '2legged' but no breakthrough yet. Do you have any clue why it could be so?

Thanks

It seems you may need to use a consumer_key in the place of the token. Can you check if the XERO API control panel provides that consumer key for you to use as token value?

The control panel provides "Consumer Key" and "Consumer Secret" But I am not sure of what you mean by "consumer key for you to use as token value?"

Also, some digging finds me this

1) A Private app uses RSA-SHA1 for signing and two-legged OAuth 1.0a. This generates a token that never expires.

2) Public apps use HMAC-SHA1 for signing and three-legged OAuth 1.0a. The generated token expires after 30 minutes and then the user must re-authenticate to get a new access token.

Looking at this, "RSA-SHA1" is not supported by this library? Or is there something that I am missing out?

developer.xero.com/faq/authenticati ...
developer.xero.com/documentation/au ...

Maybe I need to improve the OAuth class to address your needs.

I do not have access to that API. Would it be possible for you to put your scripts and my class in some private Git repository and give me access so I can test your scripts with my class and figure what I need to improve?

I appreciate you help, Actually i do not have any script created, i am checking for the feasibilty of oAuth with xero using this Class, I am using the login_with_xero.php of your class by providing the
$client->client_id = 'xxxxxxxx';
$client->client_secret = 'xxxxxxxx';

To see if this class works for Xero, If yes then I was planning to create a library.
I can create a GIT repository, but it will actually have nothing except your Class. If you want the access to the API I can create or share the API developer credentials.

I believe it has to be something with the "RSA-SHA1 method" which Xero private apps require, and this class doesn't support it.

I am very busy right now and do not have much time to look into this. The class can work with any OAuth based API. If you do what I suggested above you can help me to help you figuring the problem.

I appreciate it your helping hand, and I know you would have other things to do than this. But as I said I have nothing to share as a GIT repo, as i am only using this Class and the file called "login_with_xero.php" Just by providing the value of client_id and client_secret, Which i is as below.

$client->client_id = 'HMOXEQVREN8YBT5BVIWLTT5ZIFHPTS';
$client->client_secret = 'OBYPDOKCVVYGRX7F8BHRKJ9H9SE4S0';

Actually, what I need is for you to take the example script that uses the Xero API, change the values to put those client id and secret values.

Then add the API calls using the OAuth CallAPI function to perform the actions you want to do. Once you do this put it in a Git repository somewhere like private GitHub or Gitlab repository

Then let me know the what is the URL by sending me an email to [email protected] so I can take it from there reproducing your enviroment and fix whatever is missing in the OAuth class.

Once you do this and mail me I will remove the message above to avoid sharing private credentials with the general public because the use of that Xero application that you created is your responsability and we do not want nothing bad to happen with it due to some possible abuse from strangers.

Can you do this and let me know?

Sounds good, Thanks, I have sent you an email with GIT repo.