Forum Discussion

Finagraph's avatar
Finagraph
Contributing User
6 years ago

OAuth2 refresh token revocation

Hi there,

 

I'm a developer working with the AccountRight Live api (cloud-hosted company file). I've followed the instructions for the OAuth2 flow and have had no issues getting access/refresh tokens, renewing the access token, or calling the APIs. However, I have been trying to figure out how to use your API to revoke a refresh_token by POSTing to https://secure.myob.com/oauth2/v1/revoke.

 

I am using the official RFC (https://tools.ietf.org/html/rfc7009) to make the request.

POST https://secure.myob.com/oauth2/v1/revoke

Authorization: Basic {Base64Encode(clientId:clientSecret)}

Content-Type: application/x-www-form-urlencoded

token={REFRESH_TOKEN}&token_type_hint=refresh_token


Unfortunately, this OAuth2 endpoint is NOT documented in your official documentation and I can't figure out why it's returning:

{
"error": "invalid_request"
}

Is there an official way to revoke an access/refresh token when your app no longer needs to have access to a company file?

 

The primary use-case is that from a security standpoint we'd like to delete the token in our system AND revoke it on your end. Also, it's very hard to test the OAuth2 user flows because after I've approved our application the first time I cannot revoke access to our application meaning the next time I initiate the OAuth2 flow it skips the step where the user can Approve or Cancel granting access.

Alternatively, is there a way to remove access for the application from within AccountRight Live itself? Or from your web interface?

Thanks in advance you for your time and consideration!

  • Jacob_S's avatar
    Jacob_S
    6 years ago

    Hi Finagraph,

     

    Thanks for reaching out. To revoke access, you will need to log into secure.myob.com with the my.MYOB account that was used to authenticate and revoke the access. This process cannot be completed via the API or via the AccountRight program itself. 

     

    Thanks,
    Jacob
    MYOB API Team

    Are you a developer? Check out http://developer.myob.com
    Looking for an Add-on? Check out http://myob.com/addons/
    MYOB API Support Centre - https://apisupport.myob.com

    • Finagraph's avatar
      Finagraph
      Contributing User

      No. That does NOT revoke the access or refresh token. I can still invoke the API for the user's company file even if the user is not logged in. Also, even when I restart the OAuth2 flow and am prompted to login again I am STILL not given an opportunity to Cancel the authorization, but instead am redirected back immediately to the callback endpoint without user confirmation after logging in. Thanks for your effort though.

      Is there someone from the MYOB AccountRight Live team who can answer this?

      • Jacob_S's avatar
        Jacob_S
        Former Staff

        Hi Finagraph,

         

        Thanks for reaching out. To revoke access, you will need to log into secure.myob.com with the my.MYOB account that was used to authenticate and revoke the access. This process cannot be completed via the API or via the AccountRight program itself. 

         

        Thanks,
        Jacob
        MYOB API Team

        Are you a developer? Check out http://developer.myob.com
        Looking for an Add-on? Check out http://myob.com/addons/
        MYOB API Support Centre - https://apisupport.myob.com