Intuit OAuth Client

Warnings

• breaking Version 1.2.6 replaced the `python-jose` dependency with `pyjwt` to address CVE-2024-23342. While this is primarily an internal change, direct reliance on `python-jose` features through the library might be affected. [from release notes]
  Fix: Upgrade to version 1.2.6 or later.
• gotcha Python 3.12 support was explicitly added in version 1.2.5. Users running Python 3.12 with older versions of `intuit-oauth` may encounter compatibility issues. [from release notes]
  Fix: Ensure you are using `intuit-oauth` version 1.2.5 or higher for Python 3.12 environments.
• gotcha OAuth 2.0 access tokens are valid for 1 hour (3600 seconds) and refresh tokens change with every refresh and are valid for 100 days of continuous use. It is critical to store and use the latest `refresh_token` value from each server response. Failure to do so will result in `invalid_grant` errors and require user re-authorization.
  Fix: Always persist the latest `access_token` and `refresh_token` received after any token exchange or refresh operation.
• gotcha Redirect URIs used for production applications must be secured with HTTPS. HTTP redirect URIs are generally only permitted for local development (e.g., `http://localhost:port`) when using sandbox credentials.
  Fix: Configure your production `redirect_uri` to use HTTPS in both your Intuit Developer app settings and your application code.
• gotcha Intuit uses separate Client ID and Client Secret credentials for 'development' (sandbox) and 'production' environments. Using the wrong set of credentials for your target environment is a common mistake and will lead to authorization failures.
  Fix: Always verify that you are using the correct Client ID and Client Secret for your intended environment (sandbox or production).

Install

• pip install intuit-oauth Install stable version

Imports

• AuthClient

  from intuitlib.client import AuthClient

• Scopes

  from intuitlib.enums import Scopes

Quickstart

This quickstart demonstrates how to instantiate the `AuthClient` and generate an authorization URL for the user to grant permissions. It highlights the use of `Scopes` and the necessary credentials. In a complete application, the authorization code obtained from the redirect would then be used to fetch bearer and refresh tokens.

import os
from intuitlib.client import AuthClient
from intuitlib.enums import Scopes

# Replace with your actual credentials from Intuit Developer Portal
client_id = os.environ.get('INTUIT_CLIENT_ID', 'YOUR_CLIENT_ID')
client_secret = os.environ.get('INTUIT_CLIENT_SECRET', 'YOUR_CLIENT_SECRET')
redirect_uri = os.environ.get('INTUIT_REDIRECT_URI', 'https://example.com/callback')
environment = os.environ.get('INTUIT_ENVIRONMENT', 'sandbox') # 'sandbox' or 'production'

auth_client = AuthClient(
    client_id,
    client_secret,
    redirect_uri,
    environment
)

# Generate authorization URL
# Scopes determine the level of access requested
scopes = [Scopes.Accounting, Scopes.OpenId, Scopes.Profile, Scopes.Email]
authorization_url = auth_client.get_authorization_url(scopes)

print(f"Please visit this URL to authorize your app: {authorization_url}")

# In a real application, you would redirect the user to this URL.
# After authorization, Intuit redirects to your `redirect_uri` with `state`, `code`, and `realmId`.
# You would then exchange the authorization code for tokens.
# For example, after getting `auth_code` and `realm_id` from the callback URL:
# try:
#     auth_client.get_bearer_token(auth_code, realm_id=realm_id)
#     print(f"Access Token: {auth_client.access_token}")
#     print(f"Refresh Token: {auth_client.refresh_token}")
# except Exception as e:
#     print(f"Error getting tokens: {e}")