OAuth 1.0 Deprecation – Migrate to OAuth 2.0 by December 17, 2019

NOTE: Due to OAuth 1.0 deprecation, as of 7/15/2020 all OAuth 1.0 apps will no longer be available in your dashboard.

NOTE:  OAuth 1.0 deprecation took place on February 11, 2020.

NOTE: Blog updated to reflect OpenID 2.0 deprecation took place on May 31, 2019.

What is happening?

On December 17th, 2019, Intuit will discontinue all support for OAuth 1.0 and OpenID 2.0 was deprecated on May 31, 2019. After December 17th, 2019, applications will no longer be allowed to make API calls using OAuth 1.0 and no OpenID 2.0 API calls after May 31, 2019.

UPDATE: If you act before May 31, 2019 you will be eligible for a special thank you! All the details are here.

Why is this happening?

We are making this change to keep our QuickBooks Online and QuickBooks Payments customers aligned with industry standards.

What tools are available?

Our OAuth migration libraries and Migration documentation are available to all developers. Plus, all developers that joined before July 2017 can now see tabs for both OAuth 1.0 and OAuth 2.0 keys in their developer accounts.

If your app was created using OAuth 2.0 keys, you will only see OAuth 2 settings, and you will not see the Migration tab in the OAuth 2.0 Playground.

How do I know which type of OAuth I’m using?

See the Authentication and Authorization docs for detailed information about how to determine which version of OAuth and OpenID your apps currently use.

What should I do and when?

If you are affected by this change, please update your application code and your app settings in your developer account:

  • If your app is still under development and you have no connections in Production yet, change your code now to support OAuth 2.0. (It’s easier to implement than OAuth 1.0.)
  • If your app is live and already has connections in Production, start planning your migration to OAuth 2.0 as soon as possible (well before the December 17, 2019 deadline). We recommend that you review the Migration documentation and the migration sections of the OAuth FAQ now, to determine the resources and time you’ll need.
  • If your app supports OpenID 2.0, be sure to also migrate to OpenID Connect.

What happens to my existing OAuth 1.0 tokens? Can I continue to use them?

Your OAuth 1.0 tokens continue to remain valid until December 17, 2019 or earlier based on your token expiration duration. You can continue to maintain OAuth 1.0 connections (and to use OpenID 2.0) while you work on implementing OAuth 2.0 in your app. Additionally, you can use the Migration API to send us your OAuth 1.0 tokens and get corresponding OAuth 2.0 tokens programmatically. At that point, those OAuth 1.0 tokens will continue to work for 30 days, after which they will be invalidated.

Has this requirement been announced before?

About 18 months ago, we announced support for OAuth 2.0. At that time, all new apps started using OAuth 2.0 for authorization, and (if applicable) OpenID Connect for single sign-on authentication.

We updated the developer portal with information about our long-term plan to deprecate OAuth 1.0 and OpenID 2.0. We also started working on a migration plan to help existing developers move from OAuth 1.0 to OAuth 2.0. We launched an OAuth 1.0 to 2.0 migration open beta program to give you an opportunity to use and give us input on our migration tools and processes.

Over the past year, we have provided several OAuth 2.0 libraries, and included modules to migrate OAuth1.0 tokens to OAuth2.0. Most recently, we released libraries in Python and Node.js.

The beta program has been completed, and our migration tools and plan are now in place. We’re asking all developers to move off of OAuth 1.0 by December 17, 2019.

Will there be more deprecations and migrations in the future?

Yes. In September 2018, we deprecated TLS 1.0 and 1.1, and we have deprecated other capabilities over the years. As participants in a technology ecosystem, it’s a good idea to plan ahead so that your integration can evolve alongside Intuit, as we stay aligned with industry practices and consumer expectations.

Here are a few best practices that can help:

  • Follow our blog for early views of upcoming changes to QuickBooks APIs, so that you have plenty of time to prepare for important changes.
  • Verify that the email address in your developer account goes to a monitored inbox, so that you receive important notices in a timely manner.
  • If you outsource your integration to a 3rd-party vendor or contractor, plan your long-term budget to include support for QuickBooks API changes–especially changes related to security, privacy, and adherence to broad industry standards.

I have questions!

Have questions or feedback? Please feel free to comment below or in our developer forums.







5 responses to “OAuth 1.0 Deprecation – Migrate to OAuth 2.0 by December 17, 2019”

  1. Jason Avatar

    Are you able to confirm the timeline for accounts Prior to June 2017? We are already past the mid-Jan timeline you mention above for the OAuth 2 key tab to become available in our accounts yet it has not appeared.

    1. Diana Avatar

      Jason – We enabled OAuth2 tabs for all accounts now. Let us know if you still see issues.

  2. Lisa Tesler Avatar
    Lisa Tesler

    I am having so many problems in doing this migration and the deadline is fast approaching … I need phone support or something to help out … I’ve followed all examples (.NET) and I’ve gotten some success with getting Realm and Auth Code, but once I get AccessTokens and RefreshTokens I only get 401 errors …
    This morning I’m no getting no post backs to my response page, it just sits there in the Intuit page and waits …. PLEASE HELP !! Steve Hill 949-533-3415

  3. Lisa Tesler Avatar
    Lisa Tesler

    Hi there,

    We’re trying to ensure all of our users are aware of the switchover (and that they’ll need to reintegrate). When exactly is the cutoff for the switch, so that we can properly inform them of the change?

  4.  Avatar

    Hi, We are integrated with you and need to update, however, we did not receive notification. Who can I contact to ensure you have the right contacts here? Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *