Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Auth scopes returned do not match requested scopes

Started by Darren Lawrence -   in API Authentication

Whilst building my API Wrapper I have spotted an issue.

I thought I would be clever and store the scope response from the auth process so I can compare and re-authenticate if the scope is changed

What I have found is the auth response with the id_token and access_token refresh_token also has the scope

However I see that the scope list returned does not match the requested scope list

e.g.
I requested
"offline_access openid profile email files accounting.transactions accounting.settings accounting.contacts accounting.attachments assets projects"

but got back
"openid profile email files accounting.transactions accounting.settings accounting.contacts accounting.attachments assets projects offline_access accounting.reports.read accounting.journals.read accounting.settings.read"

Different order and extra .read entries.
Hi Darren,

Is it possible you'd already authenticated that user previously with a different set of scopes? Xero API scopes are additive, so you'll always get the combined set of scopes from all previous authentications for that user - as described here:

https://developer.xero.com/documentation/oauth2/scopes

Hope that helps - cheers,

Russell
 

Russell Dear (Xero Staff)  

That is possible, however I thought a re-authentication would reset this?
 

Darren Lawrence  

The only way to 'remove' a scope is to completely revoke the token set.

If you were to re-authenticate after a full revocation, you would reset what scopes the user had authorized. * Also note that revoking a whole token is different than deleting a connection.

See Revoking tokens
You can revoke a user's refresh token and remove all their connections to your app by making a request to the revocation endpoint.

https://developer.xero.com/documentation/oauth2/auth-flow

 

Christopher Knight (Xero Staff)  

I will look into adding the Revoke step and see what happens

Thanks
 

Darren Lawrence