Hi Mark,
Thanks for clarifying. You’re right, I hadn’t realised this was a feature
request
The RFC you link to makes the intent of Resource Owner Password Credentials
pretty clear: it’s for the case where no other grant types are available,
and where there’s a high degree of trust between the resource owner and the
client. In other words, it’s great where you have internal systems that
aren’t exposed to the public, but where there are alternatives available,
they are to be preferred.
There’s also the issue of identifying which “user” in FreeAgent is being
authenticated. It’s entirely possible for a given username/password
combination to be valid against multiple FreeAgent accounts. In the web
app, we use the subdomain to identify intent. When authenticating against
the API using the web flow, we also have a pattern to resolve this so that
we can ensure that the returned token is valid against the intended
account. I’m not sure how we would achieve this given only the username and
password.
Is there a specific use case that I’m missing where your application cannot
use the web flow to authenticate itself against a given user account?
Cheers,
-JOn Mon, Dec 9, 2013 at 2:29 PM, Mark Kneale mark.kneale@gmail.com wrote:
Thanks for the reply Jonathan.
I’m able to use the API using the client credentials flow as per your
documentation just fine… My question is why am I unable to use the
“Resource Owner Password credentials” (
RFC 6749 - The OAuth 2.0 Authorization Framework) as per the PayPalexample in my original post? I’m asking as I don’t think perhaps you’ve
catered for this scenario in the API and it means us lowly developers have
to use different approaches depending on how companies such as yourselves
implement the OAUTH2 specification.
Again, without having to use a Client Authorization Server, the PayPal
REST API works with OAUTH2 as I totally would expect it to:
var server = new AuthorizationServerDescription();
server.TokenEndpoint = new Uri("https://api.sandbox.
paypal.com/v1/oauth2/token");
server.ProtocolVersion = ProtocolVersion.V20;
var client = new UserAgentClient(server, "my client ID", "my
secrect");
var token = client.GetClientAccessToken(); // this returns
the Access token as expected.
Furthermore, Google Drive API also works in the same way as the PayPal
example above… so what i’m saying is - i’m not looking for support or
having problems that I can’t get around, i’m saying… “The Freeagent
API is missing something”
On Monday, December 9, 2013 11:24:33 AM UTC, Jonathan Barrett wrote:
Hi Mark,
Thanks for getting in touch, and sorry you’re having problems here.
By the looks of things, you’re passing your app’s client ID and secret to
the token endpoint in order to retrieve an access token, but you’re not
specifying the authorisation code for the FreeAgent account against which
your app has been authorised. This authorisation code is a required field,
as specified in the docs:
FreeAgent Developer Dashboard
so you’re getting a Bad Request error since the request is incomplete. If
you hand through the authorisation code for an authorised account, the API
will respond with the correct access token (assuming the user has not
revoked access to your app in the meantime). Retrieving the authorisation
code for an account is detailed here:
FreeAgent Developer Dashboard
and includes the “redirect and log in” step you highlight.
Hope this helps!
-J
On Saturday, 7 December 2013 09:25:26 UTC, Mark Kneale wrote:
Hi,
I’m using DotNetOpenAuth to access the v2 API and I’m unable to
authenticate directly as I would expect it to with server to server
communications using OAuth2.
As an example, using OAuth2 with the new PayPal REST API:
var server = new AuthorizationServerDescription();
server.TokenEndpoint = new Uri("https://api.sandbox.
paypal.com/v1/oauth2/token");
server.ProtocolVersion = ProtocolVersion.V20;
var client = new UserAgentClient(server, "my client ID", "my
secrect");
var token = client.GetClientAccessToken(); // this returns
the Access token as expected.
With the FreeAgent API:
var server = new AuthorizationServerDescription();
server.TokenEndpoint = new Uri("https://api.freeagent.
com/v2/token_endpoint");
server.ProtocolVersion = ProtocolVersion.V20;
var client = new UserAgentClient(server, "my client ID", "My
secret");
var token = client.GetClientAccessToken(); // I get >>> The
remote server returned an error: (400) Bad Request.
I know I can use the google oauth playground to get the token and
refresh token after I’ve redirected and logged in but this is surely not
the final solution is it? I’d imagine FreeAgent would be working to resolve
this considering they have such a great product. It’s such a shame that the
“hacky” solution above is the “accepted” answer
–
You received this message because you are subscribed to the Google Groups
“FreeAgent API” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to freeagent_api+unsubscribe@googlegroups.com.
To post to this group, send email to freeagent_api@googlegroups.com.
Visit this group at http://groups.google.com/group/freeagent_api.
For more options, visit https://groups.google.com/groups/opt_out.
Jonathan Barrett, Senior Engineer
FreeAgent: Accounting software, simplified
+44 (0)131 447 0011
Follow us on Twitter: @freeagent https://twitter.com/freeagent
FreeAgent Central Ltd, 40 Torphichen Street, Edinburgh EH3 8JB
Registered in Scotland SC316774