NOTICE: We deprecated OpenID 2.0 on May 31, 2019.
UPDATE: If you act before May 31, 2019 you will be eligible for a special thank you! All the details are here.
If you are not an engineer, and you have an application or integration with QuickBooks Online that was built before June 2017, this FAQ is for you! This FAQ can help you understand what OAuth is, and how the requirement to migrate to OAuth 2.0 (and OpenID Connect, if applicable) before December 17, 2019 affects you and your integration.
- What is OAuth for?
- What is OpenID for?
- When/how does my app use OAuth?
- What is different about OAuth 2.0?
- What is OAuth 1.0 Deprecation?
- How do I know whether my app still uses OAuth 1.0?
- I think my app needs to migrate to OAuth 2.0. What should I do?
- Will I need to change how my app uses QuickBooks Online?
- I have questions!
In this FAQ, we’ll use the term “app” to refer to any system that connects to QuickBooks Online using the QuickBooks Online API. In practice, it could be a mobile app, a website, a point of sale system, a back-end server, or any other type of integration.
What is OAuth for?
We provide you with a way to give apps access to your QuickBooks Online and/or QuickBooks Payments data, without requiring you to share your Intuit password with the app.
We do this because, per our Intuit Password and Username Best Practices, you should not share your Intuit password with others. “Others” even includes apps (including your own private apps).
Behind the scenes, that process is known in the industry as OAuth (“Oh-awe-th”), which stands for open authorization.
What is OpenID for?
We offer your app a way to reduce the number of times it makes users sign into QuickBooks Online. This is optional, but many end users like the convenience.
Here’s how it works: If you (as an end user) are already signed into and using QuickBooks Online, and then you click a link from there to launch the integrated app, you can skip the screen that asks you to sign into QuickBooks Online a second time. This is also known as single sign-on.
Behind the scenes, that process is known as OpenID (“Open-eye-dee”), which stands for open identification.
Note that if you have never used the app before, you still need go through OAuth first, to permit the app to access your QuickBooks Online data.
Some apps accept the Intuit single sign-on credentials as well, so that you don’t need to sign into the app separately. Other apps prompt users to sign into the app before or after the Intuit sign-on.
When/how does my app use OAuth?
This section is a little more technical, but it can be useful to understand the communication between QuickBooks Online, your app, and you as an end user. Plus, it might give you an idea of what aspects of your app your engineer or vendor would need to change.
At the beginning of the process, you (as an end user) sign into QuickBooks Online and consent to let the app access your QuickBooks Online data. Your app exchanges some information with QuickBooks Online to close the loop. At this point, you, the app, and QuickBooks Online become three parties in a data sharing agreement.
At the end of that process, QuickBooks Online issues the app a unique value (think of it like a signature or an official stamp) to confirm that the three-party agreement occurred. Behind the scenes, that signature is called an access token. Your app and QuickBooks Online both keep a copy of that token.
From that point on, the app needs to send that access token as proof of your agreement every time the app accesses QuickBooks Online on your behalf. This way, we can make sure your app’s copy of that signature still matches ours.
What is different about OAuth 2.0?
To a QuickBooks Online user, both versions of the process (OAuth 1.0 and OAuth 2.0) will look nearly the same.
Behind the scenes, OAuth 2.0 (and OpenID Connect) is a much newer standard. Like most sign-in technology nowadays, most systems need to upgrade every few years.
The newer version adds some useful benefits for you as a QuickBooks Online user:
- Convenient security: Your app gets a new token every hour (which is like changing your password frequently), without requiring you to sign in again.
- Data privacy: You, the app, and QuickBooks Online can now agree on which kinds of data QuickBooks Online should share with the app, you can keep certain data more private.
What is OAuth 1.0 Deprecation?
In the tech industry, deprecation generally means we’re phasing out support for an outdated technology.
Apps used OAuth 1.0 to integrate with QuickBooks Online prior to July 2017.
OAuth 2.0 is a newer version of the process. It has been available for 18 months, so we have deprecated OAuth 1.0. This means that:
- We don’t allow new apps to use the older process.
- We discourage existing apps from continuing to use the older process.
- After December 17, 2019:
- We won’t allow any apps to use the older process to get your consent.
- We won’t allow any apps to use any access tokens (proof of consent) that we previously issued via the older process.
How do I know whether my app still uses OAuth 1.0 and OpenID 2.0?
If you’re not “technical”, then the best way to know which type of OAuth your app is using is to ask your app developer.
Technical folks can look at the docs to learn how to answer this question.
I think my app needs to migrate to OAuth 2.0 and OpenID Connect. What should I do?
We recommend that you start planning your migration as soon as possible. By doing so, you’ll have plenty of time to ask us questions, make and test your changes, and complete the process well before the deadline.
Based on our experience with other migrations, app owners/developers who wait until the last minute to migrate are more likely to miss deadline. (This in turn prevents their app from accessing QuickBooks Online until it’s fixed.)
If your company has created your own app, see Migrate to OAuth 2.0 by the December 17, 2019 for the full announcement and tips for how to plan your migration.
If you did not create the app(s) you’re using, please contact your app developer to determine whether you need to take any action.
Will I need to change how my app uses QuickBooks Online?
OAuth migration only affects how you sign into QuickBooks Online via your app, and how your app proves it has ongoing permission to access your data.
Everything else your app does (handle invoices, expenses, or manage other accounting data) can stay the same.
I have questions!
Have questions or feedback? Please feel free to comment below or in our developer forums.