[OAuth 2.0] OpenID Connect supported?

[john-goldsmith]

Hi,

I'm working off the 389-oauth2 branch (which works great btw, thanks!) and was curious if this gem also supports Intuit's OpenID Connect implementation (scope: "openid")? The following snippet works for me, but I wasn't sure if it was already baked in somewhere, or perhaps another gem that provides something similar. Thanks!

class QuickbooksController < ApiController

  def oauth_callback
    if params[:state]
      @response = ::QB_OAUTH2_CONSUMER.auth_code.get_token(params[:code], redirect_uri: quickbooks_oauth_callback_url)
      if @response
        uri = URI("https://sandbox-accounts.platform.intuit.com/v1/openid_connect/userinfo")
        res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
          req = Net::HTTP::Get.new uri
          req['Authorization'] = "Bearer #{@response.token}"
          req['Accept'] = 'application/json'
          http.request(req)
        end
        body = HashWithIndifferentAccess.new(JSON::parse(res.body))
        # => {sub: "...", givenName: "...", familyName: "...", email: "...", emailVerified: "..."}
      end
    end
  end

end

References

1. OAuth 2.0 Playground
2. OpenID Connect documentation

[ruckus]

Hi @john-goldsmith thanks for the info. This gem doesn't have an authentication setup logic, we recommend users handle it on a per-app basis as needed, ala the docs:

https://github.com/ruckus/quickbooks-ruby/tree/389-oauth2#getting-started--initiating-authentication-flow-with-intuit

So in theory, yes, you can specify your own scope: "openid" and be good to go (?)

From what you're saying you can pass the same access token / secret to the gem and it works? If so thats good to know and it sounds like its a documentation issue that we should mention.

Or perhaps I am misunderstanding what you're saying. Thanks again.

[john-goldsmith]

According to the docs, scope: "openid" is a scope provided by Intuit that, from my understanding, simply tacks on an additional JWT to the OAuth response (id_token property). The JWT contains a QuickBooks GUID and realm/company ID which can then be used in my custom application to marry my user data to QuickBooks user data. Example response:

{
  "sub": "1182d6ec-2a1f-4aa3-af3f-bb3b95db45af", // QuickBooks GUID
  "aud": [
    "L3Y7SV6rRxVvArdYzlRxjPXo0b6ItrX4qFhopPXQ6aaEWgKyCa"
  ],
  "realmid": "123145880168382", // aka, company ID
  "auth_time": 1464330769,
  "iss": "https://oauth.platform.intuit.com/op/v1",
  "exp": 1464335838,
  "iat": 1464332238
}

Using the OAuth token (not the JWT), additional user data can be obtained by making a GET request to https://accounts.platform.intuit.com/v1/openid_connect/userinfo that includes a header with the OAuth token. Example response:

{
    "sub": "1182d6ec-2a1f-4aa3-af3f-bb3b95db45af", // QuickBooks GUID
    "email": "john@doe.com",
    "emailVerified": true,
    "givenName": "John",
    "familyName": "Doe",
    "phoneNumber": "+1 6305555555",
    "phoneNumberVerified": false,
    "address": { // other useful profile info
        "streetAddress": "2007 saint julien ct",
        "locality": "mountain view",
        "region": "CA",
        "postalCode": "94043",
        "country": "US"
    }
}

So, back to my original question, since your gem manages the OAuth token which is needed for the additional profile data, it seems like wrapping the OpenID functionality could also be in scope. Then again, there are a bazillion OpenID gems so maybe they already provide this functionality...? Off the cuff:

user_info = Quickbooks::Identity::OpenIDConnect.get_user_info(access_token, opts)
user_info.email # => john@doe.com

FWIW and to be perfectly honest, I'm not exactly sure if OAuth and OpenID are competing or complimentary concepts, so it's possible I'm doing duplicate effort. 😅

[joshk6]

Thank you John Goldsmith! Just a upvote here to ask that you please incorporate the setup stuff into the gem. I was able to get started pretty quickly using minimul's QboApi, but it also lacks facility for signon with intuit (which appears pretty important if you actually want people to use your app), revoking credentials (required by Intuit to publish) or getting email addresses of the user, which is pretty much essential if you use intuit single signon. I think newbies will spend hours trying to figure out oauth and then when you want to get set up to connect to their app store you have a whole new bunch of problems, and the documentation is missing or confusing if you are rails developer.