OAuth 2.0 Authorisation Code Grant Flow for RestLet in SuiteCloud Platform

In my previous Story — NetSuite Map/Reduce Scripts in Retail Practices, the POS Raw Sales data (i.e. Custom Record) is assumed to be created and integrated from 3rd Party POS Backend System. That Assumption is “Machine to Machine” Integration approach between POS and NetSuite. In this Topic, we will discovery another integration approach. (Integration between 3rd Party Client and NetSuite backend).

We will use the following Business Scenarios as an example:

Donut Company would like to run a franchise program to facilitate individual retail partner to set up small Pop-Up Stores. Donut Company develop a Mobile App for pop-up store (i.e. franchisee) to input the sales of Donuts and then sync-up all transactions to NetSuite Backend in the end of the day. Actually, it likes a mini-POS!

The Technical design of the solution includes 3 parts:

1. Mobile App
2. Authorisation between Mobile Client and NetSuite Backend (**)
3. NetSuite API (RestLet)

Mobile App

It is interface for User Input. It can be developed by Cross-platform mobile framework such as React, React Native, angular JS or Flutter etc. And then send HTTPS GET / POST request to NetSuite RestLet for data exchange. As we will focus the Authorisation in this story, we will use Postman to simulate the HTTP request instead of App building.

Authorisation between Mobile Client and NetSuite Backend

We choose OAuth 2.0 Authorisation Code Grant Flow for Authorisation method, which is standard Netsuite Function.

OAuth 2.0 Authorisation Code Grant Flow

The Advantage for using OAuth 2.0 instead of TBA is:

1. Only “Access Token” is stored in the mobile client instead of full set of User Name and Password.
2. The Access Token is not permanent. it will expires after 1 Hours (3600s)
3. All activities (i.e. specific with which retail partner) through integration can be found in the System Note of related Record.

Login Audit Trail

System Notes for Audit trail (Specific Record)

The OAuth 2.0 Authorisation Code Grant Type is most popular grant type to Authorise the Client to access protected data from Resource Server. This is a redirection based grant type and uses browser redirections for communicating with the resource server and the authorisation server. It provides a few important security benefits such as the ability to authenticate the client and transmission of the access token directly to the client without passing it through the resource owner’s user-agent and potentially exposing it to others (including the resource owner).

Here are several step(s) for Set up procedure the Authorisation.

Step 1) Set up the specific Partner Roles, copy from advanced partner Centre.

Under Permission -> Setup, select “Log in using OAuth 2.0 Access Token” and “REST Web Service”

Under Permission -> Custom Record , select “POS Record Table”

Step 2) Assign the custom Role to Partner Access

Step 3) Create Integration with OAuth 2.0 with following configuration:

• AUTHORIZATION CODE GRANT
• Redirect URL
• Scope (RESTFUL)

Once saved, record down Client Credentials (Consumer Key/Client ID & Consumer Secret/Client Secret).

Set Up > Integration > Manage Integration

All Set Up is done! Let simulate the Authorisation Process .

Step 1) Send GET Request to the Authorisation Endpoint

In the first step of the OAuth 2.0 authorisation code grant flow, the application sends a GET request to the authorisation endpoint in order to get the “Code”.

The format of the URL is:https://<accountID>.app.netsuite.com/app/login/oauth2/authorize.nl.

The related parameter is listed:

• scope: restlets+rest_webservices
• redirect_uri: <redirect_url in your client App>
• response_type: code
• client_id: <record down in the above step 3 of set up>
• code_challenge_method: SHA256
• state: length of the state parameter must be between 24 and 1024 characters (e.g. ykv2XLx1BpT5Q0F3MRPHb94j)

Once the Get Request is sent, the login interface of NetSuite pop-up for franchisee partner to input their user name and password. After allowing the statement for data accessing, it will redirect to your URL with following parameter:

Flow for User Experiences in Step 1 of Authorisation

Step 2) Send POST Request to the Token Endpoint

After getting the “code” in Step 1, the 3 rd party application sends another POST request to the token endpoint. The request must include client credentials in the HTTP authorisation request header and the required parameters in the request body. At the end of this step, the access token and refresh token are granted.

The format of the URL is https://<accountID>.suitetalk.api.netsuite.com/services/rest/auth/oauth2/v1/token

The parameter in the Link is listed as below:

• code: <code from step 1>
• redirect_uri: <url to get the return of Access Token>
• grant_type: authorization_code

The Header for Authorisation is listed as below:

• Type: Basic Auth
• User Name: Consumer Key/Client ID
• password: Consumer Secret/Client Secret

Once success, the return JSON body will be:

Yes! you get the Access_Token Now! You can use this Token to access the your own API Resource (RestLet) within 1 Hour!

Overall Flow for OAuth 2.0 Authorisation Code Grant

OAuth 2.0 Authorisation code grant flow

In Conclusion, comparing with previous release, NetSuite did a very good Job for this usual Authorisation methodology. It is very simple way to work with RestLet with full Support of Log in, record audit trail and integration governance.

Set Up > User/Roles > OAuth 2.0 Authorised Applications

*** Design and Code by Wilson Cheng

Just reach out a Production Line inside a Donut Shop near my home. It is funny!