Latest guide on Xero oAuth 2.0 integration with Native iOS app using PKCE

March 22, 2022 4 min read

Hi Folks,

Do you want to know how to create Native iOS Mobile Apps that help Xero API integration service directly using OAuth 2.0 PKCE?

You are on the right page.

This article shares solutions for PKCE integration implementation with native iOS apps which are coded in SWIFT. I have shared code samples and examples too.

Hope you will enjoy it. If you know the basics of Xero and PKCE then you can skip the first part of the article.

What is Xero?

Xero is the most popular accounting software for small and medium-sized businesses across Australia, New Zealand, Uk and some parts of the US too.

What is PKCE?

Proof Key for Code Exchange (abbreviated PKCE, pronounced “pixie”) is an extension to the authorization code flow to prevent CSRF and authorization code injection attacks. The technique involves the client first creating a secret on each authorization request, and then using that secret again when exchanging the authorization code for an access token. This way if the code is intercepted, it will not be useful since the token request relies on the initial secret. ( Ref: https://www.oauth.com/oauth2-servers/pkce/ )

Why do I need to use PKCE flow for iOS app integration with Xero?

According to OAuth’s official website. PKCE was originally designed to protect the authorization code flow in mobile apps and was later recommended to be used by single-page apps as well. In later years, it was recognized that its ability to prevent authorization code injection makes it useful for every type of OAuth client, even apps running on a web server that uses a client secret. Because of its history in the use of mobile apps and single-page apps, it is sometimes incorrectly thought that PKCE is an alternative to a client secret. However PKCE is not a replacement for a client secret, and PKCE is recommended even if a client is using a client secret, since apps with a client secret are still susceptible to authorization code injection attacks.

Problem:

I wanted to do the XERO OAuth 2.0 integration flow applied in the Native iOS app. So I went over to Xero’s official SDK documentation page and followed the instructions. This was my first integration as an iOS developer with Xero API.

I got stuck in one specific problem, where in the Xero Developer portal, within the Redirect URI field I was asked to provide a redirect parameter. Which I don’t know how an Xero API will redirect users to an iOS app. So I sent an email to the Xero team and I got this reply.

Reply from the Xero team

Hi Hardik

Mobile clients should use the Claimed HTTPS Scheme URI Redirection to register https redirect URIs. This is supported on both Android (https://developer.android.com/training/app-links/verify-site-associations) and iOS(https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html).

Kind regards.

Screenshot of an email from Xero, discussing HTTPS URI redirection for mobile clients with a focus on OAuth 2.0 integration. Includes links for Android and iOS support, and signed by Sally.

After reading an article given by the Xero support team I tried to enter the Claimed HTTPS Scheme URI in App.

Below is a screenshot of the error when I set Redirect URI.

The configuration page of the app displays connection settings with fields for Redirect URIs, Client ID, and an optional login URL for the launcher. Enhanced with Xero OAuth 2.0 integration, it features buttons for adding URIs and saving changes seamlessly.

So the above error became a key problem and blockage for me. I don’t know What’s the correct redirect url of Xero PKCE integration? How to redirect back in the app after xero login?

Solution:

How to integrate XERO in ios APP

  1. Follow xero developer document for OAuth flow.The Proof Key for Code Exchange (PKCE) flow | Xero Developer
  2. Create a developer account on Xero. After that create an app on xero developer account.
  3. Set the redirect url in the application created on xero. In iOS, we use redirect urls such as: “xeroIntegration://xerointegration.satva.solutions”. But in xero, this type of redirect url can’t be accepted.
    Code snippet with Xero OAuth 2.0 authentication for an Xcode project. Highlights include URL, token details, client ID, and redirect URI set to "xerointegration:/xerointegration.stava.solutions".
  4. I have changed the redirect url in ios app code which was set in xero application but that still gives the error code 500 (Invalid Redirect URL).
    The login error page on Xero's website shows "Sorry, something went wrong" with error code 500 and a message stating "unauthorized_client: Invalid redirect_uri," indicating a potential issue with Xero OAuth 2.0 integration.App Search Programming Guide: Support Universal Links
  5. I tried another solution using the above link. Create a universal redirect url for the ios application. And also set Apple-App-Site-Association on the redirect url of the web page but I can’t get back to the app.
  6. After that, We found the redirect url solution in the ios application. First we set the URL schema to “xeroIntegration” and create a redirect url like “xeroIntegration://xerointegration.satva.solutions”. In the app side, we have set the redirect url in the official API just like the app developed in the xero account.
  7. I talked with one of the expert Xero Developers in my team and we figured out a solution which solves this problem.
  8. It is mandatory requirement that a redirect URI has to be an HTTPS URL. so a web developer helped me create a static secure HTTP site which is just a simple html page as below.
    Web Page URL: https://xerointegration.satva.solutions/
    Page Source Code Screenshot:A screenshot of an HTML document displays a JavaScript script that creatively employs xero OAuth 2.0 to replace "https" in the web address with "xeroIntegration," then updates the window location seamlessly.

    Using below javascript code below, We are redirected to the app.

    Javascript Sample Code:

    
let result = window.location.href.replace(“https”, “xeroIntegration”);
window.location.href=result;
  9. Please observe a javascript written in a webpage that ensures that before the redirect HTTPS parameter is replaced by iOS URL Schema( in my case it’s xeroIntegration). So the URL which iOS will open in Safari browser would look something like the below:xeroIntegration://xerointegration.satva.solutions?code=sjdjksdhnksdfh
    Screenshot of Xcode project settings featuring sections for build settings, URL types, and application properties. Various fields with string values and keys are displayed, including setup details for integrating Xero OAuth 2.0 authentication.
  10. After that, we set the JavaScript code in the redirect url webpage. It will redirect to the application with the parameter “code”.
    Code which you write for authenticate by Xero login:Screenshot of Swift code implementing Xero OAuth 2.0 authentication, featuring methods for handling URL requests, challenge responses, and user authentication sessions.
  11. Once We got “code” parameter from Xero and use “code” parameter, we will get the access token of the Xero account. Code which you write for an access token:
    Screenshot of Swift code defining a function to get an access token using URL and JSON decoding, with error handling and completion handlers, illustrating how to integrate Xero OAuth 2.0 for secure authentication.

Download source code

For reference, You can download the complete Xcode Project at GitHub https://github.com/satva-git/XeroIntegratoin_ios

Also Read: NetSuite Integration: Mastering OAuth 2.0 Client Credentials Flow in .NET Framework (Step-by-Step Guide with Source Code)

Your 1 hour of consulting is on us! Get Xero App Consulting now

Do you need help with custom Xero integration service or development? Our Xero integration experts are here to help you!

Chintan Prajapati
Article by

Chintan Prajapati

Chintan Prajapati, a seasoned computer engineer with over 20 years in the software industry, is the Founder and CEO of Satva Solutions. His expertise lies in Accounting & ERP Integrations, RPA, and developing technology solutions around leading ERP and accounting software, focusing on using Responsible AI and ML in fintech solutions. Chintan holds a BE in Computer Engineering and is a Microsoft Certified Professional, Microsoft Certified Technology Specialist, Certified Azure Solution Developer, Certified Intuit Developer, and Xero Developer.Throughout his career, Chintan has significantly impacted the accounting industry by consulting and delivering integrations and automation solutions that have saved thousands of man-hours. He aims to provide readers with insightful, practical advice on leveraging technology for business efficiency.Outside of his professional work, Chintan enjoys trekking and bird-watching. Guided by the philosophy, "Deliver the highest value to clients". Chintan continues to drive innovation and excellence in digital transformation strategies from his base in Ahmedabad, India.