Hosting requirements for oauth2 api


(Stuart Bennett) #1

I have a client and they are on the xmlrpc api at present but the new tls 1.2 requirements mean we are having to upgrade their api code to oauth 2 to stop their api stuff from breaking.

however there current hosting provider based on our testing does not appear to support oauth 2 code.

we therefore need to know which uk hosting companies we can have our clients website hosted on? and the exact minimum server requirements our client needs on there hosting package to successfully use oauth 2 code.


(Brett Partridge) #2

Couple of things:

  1. While we definitely recommend updating to OAuth2 from legacy keys. That is completely separate from the TLS upgrade. In other words it one can update to the latest version of TLS completely independent of the authorization mechanism used (legacy key or OAuth).

  2. Other than SSL, there are no hosting or server requirements to implement the OAuth spec. Can you provide more detail around the setup you are working with? Depending on the framework being used there may be a plugin or something needed. With more detail the community may be able to make recommendations.

  3. If it gets to be too specific of a situation for the group’s knowledge base, then reaching out directly to support for help would be the final step.


(Stuart Bennett) #3

Our client has a wordpress based website hosted on a shared hosting package on heart internet.

the xmlrpc api works fine on this setup but our php developer advises that we can’t acheive compatibility with tls 1.2 with changing from xmlrpc over to oauth2.

we setup a second domain on the clients hosting package to run tests on the new oauth2 version of the api scripts we are using and discovered that the oauth2 code doesn’t work properly on the clients current hosting setup.

We therefore need to migrate the clients website both live and dev copies to a new hosting company but are looking for recommendations of which uk hosting companies will best serve our clients needs.


(John Borelli) #4

@Stuart_Bennett, we have had clients with the same issue and how it was fixed is to ensure that the HTTP POST from IS is http (not https) and then use a redirect exception in .htaccess to prevent redirection to https from the server using RewriteCond

That being said, transitioning to OAuth is advisable but can come with issues so if it is possible then do so but if it’s not practical then you can fix the issue for the interim using the method I’ve mentioned.


(Michael Fairchild) #5

While there isn’t a hosting requirment for OAuth2 and the APIs, there is a PHP version requirement on our PHP SDK. The minimum PHP version requirement for the PHP SDK is PHP 5.5.


(Syn Gates) #6

I haven’t use OAuth2 API before, is there any thing else I should take care, any other requirements?

Ecommerce Tips | Magentinos


(John Borelli) #7

Hi @Syn_Gates,

You’ll want to review the authentication documentation to start with:

https://developer.infusionsoft.com/docs/xml-rpc/#authentication

The first step in the process is to register your app on Mashery and get the client secret/id you’ll need to begin the process with OAuth:

https://keys.developer.infusionsoft.com/member/register

Once the app is accepted and is active the oauth process has a specific flow:

  1. Use mashery id/secret to request an authorization token which will be used to request your api tokens. This step will result in the user being asked to login and authorize a specific app for access and will then return the authorization token needed to request tokens for access.
  2. Use the new authorization token to request your access/refresh token pair. The authorization token is only valid for a very short time (something like 5 minutes).
  3. You will receive back the access/refresh token pair and will be able to use the access token for up to 24 hours before needing to refresh the access rights.
  4. The access token is what will be needed to make api calls and the refresh token is what you will need to request a new set of access/refresh tokens before the 24 hour period expires on the current ones. The refresh token I believe is good for 90 days (long after an access token would expire).

Hope that helps :wink:


(Syn Gates) #8

Thanks a lot, I will try :smiley: