OAuth2 refresh token revocation

This thread is now closed to new comments.
Some of the links and information provided in this thread may no longer be available or relevant.
If you have a question please start a new post.
Finagraph
Contributing Partner
7 Posts
Contributing Partner
Contributing Partner

7Posts

1Kudos

0Solutions

Solved: Go to Solution

OAuth2 refresh token revocation

Hi there,

 

I'm a developer working with the AccountRight Live api (cloud-hosted company file). I've followed the instructions for the OAuth2 flow and have had no issues getting access/refresh tokens, renewing the access token, or calling the APIs. However, I have been trying to figure out how to use your API to revoke a refresh_token by POSTing to https://secure.myob.com/oauth2/v1/revoke.

 

I am using the official RFC (https://tools.ietf.org/html/rfc7009) to make the request.

POST https://secure.myob.com/oauth2/v1/revoke

Authorization: Basic {Base64Encode(clientId:clientSecret)}

Content-Type: application/x-www-form-urlencoded

token={REFRESH_TOKEN}&token_type_hint=refresh_token


Unfortunately, this OAuth2 endpoint is NOT documented in your official documentation and I can't figure out why it's returning:

{
"error": "invalid_request"
}

Is there an official way to revoke an access/refresh token when your app no longer needs to have access to a company file?

 

The primary use-case is that from a security standpoint we'd like to delete the token in our system AND revoke it on your end. Also, it's very hard to test the OAuth2 user flows because after I've approved our application the first time I cannot revoke access to our application meaning the next time I initiate the OAuth2 flow it skips the step where the user can Approve or Cancel granting access.

Alternatively, is there a way to remove access for the application from within AccountRight Live itself? Or from your web interface?

Thanks in advance you for your time and consideration!

4 REPLIES 4
Triboss
Valued Partner
99 Posts
Valued Partner
Valued Partner

99Posts

6Kudos

15Solutions

Re: OAuth2 refresh token revocation

From the customer's end - you could try this URL:

https://secure.myob.com/oauth2/account/logoff

Finagraph
Contributing Partner
7 Posts
Contributing Partner
Contributing Partner

7Posts

1Kudos

0Solutions

Re: OAuth2 refresh token revocation

No. That does NOT revoke the access or refresh token. I can still invoke the API for the user's company file even if the user is not logged in. Also, even when I restart the OAuth2 flow and am prompted to login again I am STILL not given an opportunity to Cancel the authorization, but instead am redirected back immediately to the callback endpoint without user confirmation after logging in. Thanks for your effort though.

Is there someone from the MYOB AccountRight Live team who can answer this?

Jacob_S
15 Posts
Former Staff
New Zealand
Former Staff

15Posts

0Kudos

3Solutions

Accepted Solution Solved

Re: OAuth2 refresh token revocation

Hi @Finagraph,

 

Thanks for reaching out. To revoke access, you will need to log into secure.myob.com with the my.MYOB account that was used to authenticate and revoke the access. This process cannot be completed via the API or via the AccountRight program itself. 

 

Thanks,
Jacob
MYOB API Team

Are you a developer? Check out http://developer.myob.com
Looking for an Add-on? Check out http://myob.com/addons/
MYOB API Support Centre - https://apisupport.myob.com

Finagraph
Contributing Partner
7 Posts
Contributing Partner
Contributing Partner

7Posts

1Kudos

0Solutions

Re: OAuth2 refresh token revocation

That did work! For anyone else following along. If you manually navigate your browser to https://secure.myob.com you get the following webpage:

 

MYOB_REVOKE.png

 

It's kind of an obscure webpage considering I have absolutely no idea how to get to this page using any links from other pages on the your website. For example, when I login to https://my.myob.au I see:

MYOB_ACCOUNT.png

 

I tried exploring just about all of the menu options from this page before posing this question. It might be nice if there was a weblink or other way to navigate to view connected applications from this webpage/site. Anyway, THANK YOU!

Didn't find your answer here?

Try using advanced search to find a post more easily Advanced Search
or
Get the conversation started and make a new post Start a Post