Transition to OAuth2

ElenaLGElenaLG Member Posts: 8
edited September 16 in Development

Hello

Our company has been developing PMS and currently we are integrated with LS Restaurant via the next API methods:

PosiosApi.getApiToken(java.lang.String username,

           java.lang.String password,

           java.lang.String deviceId,

           java.lang.String applicationId,

           java.lang.String applicationVersion,

           java.lang.String deviceModel,

           java.lang.String deviceVersion,

           boolean optout,

           java.lang.String locale,

           java.lang.String deviceName)

PosiosApi.getFloors(java.lang.String apiToken, int companyId)

PosiosApi.getPaymentTypes(java.lang.String apiToken, int companyId)

PosiosApi.getProductCategories(java.lang.String apiToken, int companyId)

RoomApi.setRooms(java.lang.String apiToken,int companyId,Room[] rooms)

PosiosApi.getReceiptsByStatusAndModificationDate(java.lang.String apiToken, int companyId, java.lang.String status, long from, long to, long modificationDate)

We have got two users upon connecting with LS, and each of the two is connected with a bunch of hotels (aka LS companies). As you see we get a token by a user and then use the token to get data for a certain company.

Questions:

  1. Can these methods be used together with OAuth2? If they can then can apiToken be just replaced with an access token?
  2. How should clients be registered? May a client be registered per a user and so an access token will be used by a few hotels (the same way like apiToken is used now)? Or each hotel should get its own client?

Kind regards, Elena.

Post edited by Yorick on

11 comments

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 349 moderator

    Hi @ElenaLG,

    Thank you for reaching out to us.

    If I'm right your company is a partner of Lightspeed so you've access to the Resto documentation. There is all information you need to know about the access token. Also how clients need to be authorized. OAuth2 works like a way that every client needs to approve your application so you can POST or GET data from the merchant. This way of authorizing is secure and aware the merchant which integrations they are using.

    I hope this helps.

  • ElenaLGElenaLG Member Posts: 8
    edited September 17

    Dear @LucienVersendaal

    The Resto spec has the next description of fields for registering an OAuth2 client:

    The following information is required to create a developer account:

    Company

    First Name 

    Last Name

    Email 

    The following information is then required to register a new OAuth client:

    App Name 

    App Display Name 

    Redirect URL 


    We got a client request url that contains a little bit different fields:

    Company Name

    Integration Name

    Contact First Name

    Contact Last Name

    Developer Email

    Redirect URI


    After trying to correlate them we got:

    1. Company - Company Name
    2. First Name - Contact First Name
    3. Last Name- Contact Last Name
    4. Email -Developer Email
    5. App Name -?
    6. App Display Name - Integration Name
    7. Redirect URL - Redirect URI

    The first column is from the spec, the second is from the client request url.


    Does this mean that fields 1-4 are supposed for registering our company and fields 5-7 for registering our application?

    I ask as we are said that a client must be created for every hotel that our company manages. Is it really so?


    Kind regards, Elena.

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 349 moderator

    Hi @ElenaLG,

    Once the OAuth client is registered by Lightspeed, the client ID and client secret will be shared with the developer. To register an OAuth client, please contact your Partner Manager or Sales Representative.

    No we create a partner account for you after that, for every merchant that wants to use your app they(merchant) needs to approve your application. Just like we're mentioning in our documentation.

    Your colleague Svetlana has already access to our API.

    ps. Please don't share any Monday form links here.

  • ElenaLGElenaLG Member Posts: 8

    Hi @LucienVersendaal


    "Once the OAuth client is registered by Lightspeed, the client ID and client secret will be shared with the developer. To register an OAuth client, please contact your Partner Manager or Sales Representative."

    Does this mean that upon connecting every hotel to LS we have to contact our Partner Manager or Sales Representative?


    Thanks

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 349 moderator

    Hi @ElenaLG,

    No. We create a partner account for you after that, for every merchant that wants to use your app they(merchant) needs to approve your application. Just like we're mentioning in our documentation.

  • ElenaLGElenaLG Member Posts: 8

    Hi @LucienVersendaal

    Then we have to guide every merchant through the approval routine that is shown on the video that you sent to Svetlana, right?

    Then what if you have a few merchants. You will do the approval steps with the same client for a second merchant and get another access token? Is it possible? The spec does not explain how to work with one application and a few merchants.

    Also as an example of working with an access token the video returns a list of companies. Are all the companies connected to one merchant?

    Regards, Elena.

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 349 moderator
    edited September 18

    Correct this is for security reasons and make merchants aware which applications they authorize.

    Lets say Shop A wants to use your app, you'll give them the authorize link so when they enter this in the browser they need to login with their store credentials and approve your app. Then they will be redirected to your redirectURL with all parameters that are shown in the documentation. You're getting the response with an accesss_token and a refresh_token, if your access_token is expired you can get a new one by using the refresh_token that never expires.

    These are the steps you need to do for Shop B, Shop C and Shop Z.

    You see multiple shops because in the video I was logged in to my master establishment that has multiple locations.

    So if a company has 10 locations, you'll need to authorize your app 10 times on each specific location.

  • ElenaLGElenaLG Member Posts: 8

    Hi @LucienVersendaal

    Will an access token got for shop B kill a previously got access token for shop A or not?

    Thanks

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 349 moderator

    You need to save that in a database.

  • ElenaLGElenaLG Member Posts: 8

    Hi @LucienVersendaal

    My last question was about your system:

    can access tokens for Shops A...Z that got for the same client live simultaneously on your site?

  • LucienVersendaalLucienVersendaal Moderator, Lightspeed Staff Posts: 349 moderator

    Yes, they have their own access token.

Sign In or Register to comment.