Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > SDKs >

Custom Connections using PHP API - Where to request offline_access?

Started by Philip Coombes -   in SDKs

I'm migrating an OAuth1 app to OAuth2 and have created the app in Xero etc and given it the appropriate scope permissions for the accounting api.

As the app is strictly offline scripts for billing and invoicing I'm using a custom connection and basing the auth workflow on the example at https://github.com/XeroAPI/xero-php-oauth2-custom-connections-starter.

The initial auth works but then the refresh fails because there is no refresh token. I believe this is because it is not asking for the offline_access scope initially but I'm at a total loss about where or how to request that scope using the GenericProvider class.

I've tried adding it to the request for the access token as follows

$accessToken = self::$provider->getAccessToken( 'client_credentials', [ 'scope'=>[ 'openid', 'offline_access' ] ] );

but it gets ignored and the scopes I get back are just the accounting ones I defined originally. If I change it slightly to

$accessToken = self::$provider->getAccessToken( 'client_credentials', [ 'scope'=>'openid,offline_access' ] );

then I get a 400 response with invalid_scope.

All the examples in the docs for specifying the scope show the raw HTTP request and don't seem to use this library.

Does anyone have an example of successfully requesting offline_access using the xeroapi/xero-php-oauth2 library as I'm currently totally stuck?
Incidentally this forum isn't exactly geared up to handle technical posts. Any kind of un-escaped square brackets just generates "unable to format post" messages with no information about what's wrong!

Philip Coombes  

When using a custom connection there is no refresh token. After 30 minutes you simply repeat the process of obtaining an access token (using the Client ID and Secret).

I suspect that the sample app has references to refresh tokens as the code has been re-used from the code flow examples (where there is a refresh token). I would suggest raising this as an issue on the issue page (https://github.com/XeroAPI/xero-php-oauth2-custom-connections-starter/issues) do that our team can take a look.

Robin B (Community Manager)  

Thanks. I'll give that a go and raise an issue.

Philip Coombes