Skip to content

Add NetSuite Provider #2362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jul 7, 2025
Merged

Add NetSuite Provider #2362

merged 11 commits into from
Jul 7, 2025

Conversation

antonypetras
Copy link
Contributor

This PR adds support for Oracle NetSuite as a provider.

Quirks

  • expires_in returned in non-standard string format
  • id_token not always returned
  • at_hash not constructed correctly
  • introspection response contains scope as an array of strings

After much poking around I decided a new handler for the introspection response was required. Hopefully that is correct 😎

Other fun notes for future readers

  • refresh_token grant only returns an additional refresh token when the client is configured as public in NetSuite and is valid for 3 hours only
  • revoke requires that token is a refresh token and will not work otherwise

Docs

openiddict

kevinchalet
kevinchalet reviewed Jul 7, 2025
View reviewed changes
Copy link
Member

@kevinchalet kevinchalet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your great PR! ❤️

If we can merge it this morning, it will ship as part of the OpenIddict 7.0 release 😃

@kevinchalet kevinchalet self-assigned this Jul 7, 2025
@kevinchalet kevinchalet added this to the 7.0.0 milestone Jul 7, 2025
@kevinchalet
Copy link
Member

kevinchalet commented Jul 7, 2025
edited
Loading

After much poking around I decided a new handler for the introspection response was required. Hopefully that is correct 😎

No, that's perfect! 👍🏻

refresh_token grant only returns an additional refresh token when the client is configured as public in NetSuite and is valid for 3 hours only

Out of curiosity, does that imply that for confidential clients, they don't use refresh tokens at all and issue access tokens that never expire?

@antonypetras
Copy link
Contributor Author

Thanks for making it so easy to contribute with such good docs.

Out of curiosity, does that imply that for confidential clients, they don't use refresh tokens at all and issue access tokens that never expire?

All access tokens are valid for 60 minutes.

  • For confidential clients your original refresh token is valid for 7 days. Once you use the refresh token once, you get another access token that is valid for 60 minutes (no refresh token) and then you're done.
  • For public clients your refresh tokens are only valid for 3 hours, but you can cycle through refresh tokens forever

NetSuite is one of those systems that logs you out of the UI constantly and I guess they want to pass that on downstream.

@kevinchalet kevinchalet merged commit 4153387 into openiddict:dev Jul 7, 2025
6 checks passed
@kevinchalet
Copy link
Member

Thanks for making it so easy to contribute with such good docs.

❤️

Once you use the refresh token once, you get another access token that is valid for 60 minutes (no refresh token) and then you're done.

🔫 ... yeah, that's really stupid 😄

Merged, thanks a lot for your PR! And congrats for your first contribution to OpenIddict! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevinchalet kevinchalet kevinchalet left review comments

Assignees

@kevinchalet kevinchalet

Labels
community contribution web providers
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@antonypetras @kevinchalet