My Products
Help
adrianm
PARTNER

Question on native app authentication

by adrianm

First, the documentation is still showing the old GUI. I can e.g. not find the "invite only" selection in the new GUI. Is "no market" the same as "invite only"?

 

The documentation says regarding redirect_uri:

"The value of this parameter must exactly match the value added on application registration. This includes the https scheme, the same case."

 

But RFC 8252 says

The authorization server MUST allow any port to be specified at the
   time of the request for loopback IP redirect URIs, to accommodate
   clients that obtain an available ephemeral port from the operating
   system at the time of the request.

How do you do authorization on e.g. a windows computer if you can't redirect to a dynamic local port?

 

 

 

9 REPLIES 9
adrianm
PARTNER

by adrianm

My app store page looks like this

 

adrianm_0-1701867954765.png

 

Accepted solution
Magnus Johnsen
VISMA

by Magnus Johnsen

Hi,

When it comes to the App store, native apps use the interactive authentication and does not need to be published as "invite only" as the API-scopes are based on the roles the user that authenticates has on it's account.

You can still choose to add marketplaces if you want your application to be visible on the Visma App store.

Regarding the redirect_uri, Visma Connect does not support dynamic/ephemeral port for the redirect_uri's.

One option is to register multiple redirect_uri's with different ports and choose the one that is available at runtime, another perhaps better option would be using a custom URI scheme and configure Windows to open the app when it is invoked, similiar to how Slack works with their desktop app.

Please let us know if you have any other questions and we'll raise it internally.

Thank you. 

adrianm
PARTNER

by adrianm

Thank you for your reply.

 

Seems very complicated to create a custom URI-scheme and have that pass the information to the running app. I will probably add many ports and hope at least one of them is available.

 

One other question. What do I use as scope when not using openid?

by Magnus Johnsen

Hi,

According to the documentation, openID is required as scope. Using email and/or profile as well gives you the possibility to also get information about the user via the UserInfo endpoint.


Example:

curl --request GET --url https://connect.visma.com/connect/userinfo --header 'authorization: Bearer [YOUR_ACCESS_TOKEN]'

 Response:

{
  "sub": "1072cd43-d99a-4d44-84a2-5f80720c1a19",
  "name": "John Doe",
  "given_name": "John",
  "family_name": "Doe",
  "email": "john.doe@visma.com",
  "email_verified": true,
  "idp": "Visma Connect",
  "auth_time": "1472622102",
  "sid": "11474d36-22a3-40d8-925d-21af17826e38"
}

 

adrianm
PARTNER

by adrianm

@Magnus Johnsen wrote:

According to the documentation, openID is required as scope.


Depends on where you look
> "When OpenID Connect is enabled, your application can be configured with additional Identity Scopes that grants access to additional details regarding authenticated users. "

 

It also seems strange to force the user to accept access to personal information when the application doesn't need it.

 

I'm more interested to know which company name the user gave access to. Is that available somewhere?

Yıldırım
VISMA

by Yıldırım

@adrianm wrote:

I'm more interested to know which company name the user gave access to. Is that available somewhere?


Hi Adrian, generated token can be used on JWT & UserInfo Enpoint, but I'm afraid those only contains tenant_ID instead of company name. I'll check this out and let you know if there is any option.  

adrianm
PARTNER

by adrianm

Thanks, I saw in another post that I can use the Organization endpoint to find the company name and it seems to work.

 

Also tested the JWT but it did not include the tenantid

adrianm_0-1702641631517.png

 

Yıldırım
VISMA

by Yıldırım

Thanks for sharing, Adrian ! To my knowledge, to be able to get tenant_ID via JWT and UserInfo you need to adjust the following settings.

 

1) Developer Portal 
Visma Developer Portal.jpg
2) Adding OpenID Identity scope : tenants to your token request

e.g. 

openid email profile tenants vismanet_erp_interactive_api:create vismanet_erp_interactive_api:read vismanet_erp_interactive_api:update vismanet_erp_interactive_api:delete

 

by Magnus Johnsen

Hi,

The "Invite only", it can be found here:
2023-12-06 13_54_22-Visma Developer Portal - Brave.png

 

Regarding the redirect_URI, we'll check this internally and get back to you.