We are looking into setting up an integration with your app.
We see that you use OAuth, but it seems to be a local authentication. Do you also have some global OAuth authentication (so that we would keep a single Client ID and Client Secret across all our connections)?
If not, no worries as this is not blocking for us.
Do you in that case prefer your integrations to have a token-based authentication or an authentication based on the local OAuth app?
I’m curious to understand the question (2yrs later). Are you asking for other OAuth providers, such as Facebook, where you’d use the OAuth subsystem to normalize the token(s) passed within your dependent applications?
@dealproc not really.
In essence you can divide the OAuth authentications in 2 types:
-
Global OAuth:
An integrator can set up an OAuth application (with a fixed redirect URL) that can be connected to from different apps. This form of OAuth is the most common and is used with most major apps, such as Google, Facebook, HubSpot, Salesforce, etc.
From a user this is the most seamless as they have no manual actions to take (no need to set up an OAuth app themselves) and also the most secure (as they don’t need to provide a Client ID and Secret to a third party integrator).
-
Local OAuth:
Each user/team needs to set up their own OAuth application in order to be able to allow API access for their account. If we saw it correctly back in the days, this is the situation for ERPNext.
Now that being said, I had posted the above topic without taking into account that many users will also connect their self hosted ERPNext instances. In such cases using a global OAuth app is also not secure as the global Client ID and Secret can be exploited. So this should be avoided.
So my question is actually irrelevant at this time :).