Added Oauth2 provider

[LeonB]

I've added a secondary provider so oauth2 can be used: https://developer.xero.com/documentation/oauth2/overview

I'd like to know if this is something that could be merged into the main repository. I've abstracted the Provider type to IProvider. I kept the original Provider name for backwards compatibility.

[TheRegan]

Thanks Leon! You're amazing!

I was working on something similar myself but there aren't enough hours in the day to get it done!

I'll take it for a test drive and get back to you shortly. :-)

[LeonB]

@TheRegan let me know if you want things changed or setup differently.

[TheRegan]

Thanks again for this Leon!

I'm having some trouble getting it working with the included example, but I'll persevere over the weekend and see if I can find out what is going on.

When I originally started looking at this I had thought that it made the most sense for the oAuth 2 SDK to be in a separate repo to the oAuth 1.0a SDK. You've done great work here to ensure that it isn't a breaking change though!

Perhaps you could let me know what your arguments are for keeping it in the same repository and we can come to some sort of consensus? :-)

[SebastiaanKlippert]

Any news on this? We are currently have Xero on hold until we get OAuth2 support.
I can help with the review if needed.
What exactly do you mean by different repository @TheRegan ?

[TheRegan]

Hey Sebastiaan, I was referring to leaving this repo as the OAuth 1.0a SDK and having a separate repo with an OAuth 2 SDK.

I think we will go with this model. I am a bit stretched at the moment so I haven't been able to devote time to setting it up sorry!

[LeonB]

@TheRegan personally I would go with keeping one repo. Else you have to maintain two separate repo's where the only difference is the authentication? What's your consideration in splitting the repo up?

[matthewhartstonge]

I've been watching this 👀 - I would agree with @LeonB, best thing to do would be to start adding semantically versioned tags since go modules respect them. That way, if required, you can do a major version bump if deprecating OAuth 1 in future.

[SebastiaanKlippert]

Keeping it in one repo also seems the best option to me, you really don't want to maintain two versions of all code.
This PR looks like a good solution to me, the interface makes it compatible with both OAuth versions.

Thanks for the effort @LeonB

[TheRegan]

Are y'all planning to use OAuth 2 in parallel with OAuth 1.0a? Can I ask whether you're using private, public, or partner methods?

[SebastiaanKlippert]

We are still implementing and are using OAuth1 in development, but decided to hold back the release a couple of months until OAuth2 was available (we are integrating with 10 accounting apps currently and you were the only ones on OAuth1 which means more changes in our OAuth microservices than we hoped).
So for us it will only be OAuth2 on a public app, but we plan to switch to partner when our pilot group gives the thumbs up.

[LeonB]

@TheRegan I'll be using oauth1 as well as oauth 2. It depends on the partner we're connecting with.

[LeonB]

@TheRegan something different: do you know how refreshing the refresh token is handled in Xero with Oauth2? Mine expired now twice. Each time after a month. I store the new refresh tokens I get from the token endpoint and still after I month I get an invalid_grant message and my refresh token doesn't work anymore.

[LeonB]

@TheRegan what do you want to do with oauth2? Especially since the creating of oauth1 apps is now deprecated and disabled.

[SebastiaanKlippert]

Also wondering what is happening, we are releasing a product in the UK with lots of potential customers wanting a Xero integration, but are not going to invest in OAuth1.
Xero is one the first UK accounting products we have seen that provides a Go package, which is great, for the others we wrote our own API client. But now it is becoming a delay, in our own client we would added OAuth2 already by now.
If we get a time line or roadmap we can decide to just use LeonB's branch, or create our own fork, but now it is just waiting for something to happen and we can't answer our customers.

[ramonmacias]

Hello everyone, we worked on a new SDK for Xero using the OAuth2 workflow, feel free to use it and raise an issue if you find some problems! thanks

https://github.com/quickaco/xerosdk

[mwlazlo]

@TheRegan is your comment from last year regarding OAuth1 backwards compatibility still valid? I'm trying to get this working and it seems that Xero API doesn't support OAuth1 any more... thoughts?

[SidneyAllen]

Hi Everyone,

I want to give an update on Xero's support for an official Golang SDK.

This repository xerogolang was hand written for use with OAuth1.0a. For OAuth 2, we've moved to building next generation SDKs in an automated fashion using OpenAPI specifications. This has proved successful in 6 languages, but has required resources to work through the quirks and template modifications to support Xero's wide range of API sets created over a 10 year period.

OAuth 1.0a was officially deprecated on March 31, 2021. We've made the decision to not make any improvements to xerogolang or update it to support OAuth 2 as this is not inline with our strategy to automate the creation of them from OpenAPI specs.

In the README for this project, we said a new SDK was coming soon, but we've not been able to prioritize getting it to a place that we can release it to all of you. It's disappointing news, but we are working to make time to focus on getting the new OA2 SDK to a MVP status in the coming months.

In the meantime, we do have a golang example project that can help you authenticate and roll your own API calls without a full blown SDK.

You are also welcome to fork this repository and modify for your own use going forward.

https://github.com/XeroAPI/golang-oauth2-example