How to Revoke Tokens from OAuth 2?

harry7 · April 26, 2024, 1:21pm

Hey guys, I have set up an API connection with Xero using the User-Agent Flow in the API Connector. The plugin works well, allowing signup with social network, retrieving data, and refreshing tokens. I am trying to have a button in my app that disconnects the connection with an API call. This is Xero’s documentation:

After tring to make the call I receive error 415 which means unsupported media type. Note: this is the first call I am making that is not a GET call (POST instead) Here are my API and call settings:

Any ideas on how to make this work? I also have no idea how to access the refresh token as bubble handles the refresh process automatically. Thanks in advance for the help!

Jici · April 26, 2024, 2:12pm

I’ve a cheat to get the access token… but the refresh token no.
Some API will allow you to do a GET request to token endpoint and get the actual token information. This is something to try.
Take note that your revoke call will need to be made in a different API (not just a call inside this Xero API).

harry7 · April 26, 2024, 3:07pm

Thanks for this, it all makes sense and I will try it, I’m just having a hard time understanding this:

What do you mean it would have to be made in a different API?

Jici · April 26, 2024, 3:14pm

You cannot do it in the API where you have your Xero user-agent flow auth because you will end up having two “authorization” headers (one from user-agen with Bearer access token and one from the API call with Basic auth).
So you need to do the revoke call in a new API (Call it Xero revoke) and add you basic auth in this API + revoke API call endpoint

harry7 · April 26, 2024, 3:23pm

Ahh ok this makes sense, really appreciate it. Will try tomorrow and let you know how it goes.

harry7 · April 27, 2024, 1:34am

The Xero API doesn’t seem to allow Get requests to check the refresh token. Back at square 1 unfortunately.

harry7 · April 27, 2024, 8:26am

Would you mind sharing your cheat to get the access token…I’m close now I just need to get the refresh_token some how which I’m thinking I could do if i had access token.

Jici · April 27, 2024, 3:24pm

So you will need to create a backend WF (no authorization requested) and use detect data with “Include headers in detected data” activated. Copy the initialize url when you click detect data and go in your Xero API. Add a call there as POST and initialize this call (you may need to reinitialize Authentication before in debug_mode). Once the backend WF is initialized. Save the data and go in API Connector to remove the /initialize at the end.

So use this API call to get the access token. If needed, you can send more information like user by adding a paramters for example. Do that before initializing Backend WF so the backend WF will detect this too.

The idea behind this is: Bubble doesn’t care about the URL set in a specific API. If you have set the authorization for API, this will be used for all API Call that this API contain, even if the url doesn’t belong to this API.

harry7 · April 28, 2024, 12:56am

Ok I’ll try this, really appreciate the detailed response, and thanks again for your help