EDGE Tech Docs

05 - Authentication & Tokens

3 min read

Authentication & Tokens

The EDGE Store plugin integrates with several services that use OAuth 2.0 for authentication. This document explains how the plugin manages access tokens and the process for reconnecting services.

Supported Services

The primary services using OAuth 2.0 are:

  • Xero: For accounting.
  • Zoho CRM: For product and customer data.

Token Storage

Access tokens, refresh tokens, and their expiry times are stored in the WordPress database in the wp_options table. The plugin uses a dedicated class or helper for each integration to manage its specific tokens.

  • Xero Tokens: Managed by XeroConnector. The option key is typically xero_tokens.
  • Zoho Tokens: Managed by zohocrm/Api/ZohoAuth.php. The option key is typically zoho_tokens.

The Authentication Flow (OAuth 2.0)

The general flow for connecting a service is as follows:

  1. Initiate Connection: An administrator clicks a “Connect” button on the plugin’s settings page in the WordPress admin.
  2. Redirect to Provider: The user is redirected to the service provider’s website (e.g., Xero or Zoho) to log in and grant permission.
  3. Authorization Code: After granting permission, the provider redirects the user back to a specific callback URL within the WordPress admin. This redirect includes a temporary authorization_code.
  4. Token Exchange: The plugin’s connector class (XeroConnector or ZohoConnector) receives this authorization code and immediately makes a server-to-server API call back to the provider to exchange it for an access token and a refresh token.
  5. Store Tokens: The access token, refresh token, and expiry time are securely stored in the wp_options table.

Automatic Token Refresh

Access tokens are short-lived (typically 1 hour). To maintain a persistent connection, the plugin uses the stored refresh token to automatically obtain a new access token when the old one expires.

  • Process: Before making an API call, the connector class checks if the current access token has expired.
  • If Expired: It uses the refresh token to request a new access token from the provider.
  • Update Storage: The new access token and its new expiry time are saved to the database, overwriting the old ones.

This process is seamless and requires no user intervention, as long as the refresh token remains valid.

Reconnecting a Service / Clearing Tokens

There are situations where a service may need to be reconnected:

  • The refresh token has expired or been revoked (e.g., by a user revoking permission in the provider’s application settings).
  • API credentials (client ID/secret) have changed.
  • You want to connect to a different account (e.g., moving from a sandbox to a production Xero account).

How to Reconnect:

Most of the integration settings pages in the WordPress admin provide a “Clear Tokens” or “Disconnect” button.

  1. Clear Tokens: Clicking this button will delete the stored tokens for that service from the wp_options table.
  2. Reconnect: After clearing the tokens, the “Connect” button will reappear, allowing you to go through the OAuth 2.0 authentication flow again from the beginning.

This provides a secure and reliable way to manage the connections to third-party services.

This concludes the core documentation for developers.

Graph View

Backlinks