Netsuite Connector | OAuth2.0 Workflow

Hey folks,

I am wondering if any other Tulip/Netsuite users have a streamlined an OAuth2.0 request between Netsuite and Tulip?

I have been able to accomplish this connection, but it requires me to manually ‘test’ and confirm regularly


Are there any other Netsuite/Tulip users that this authorization type regularly?
-Looking for some tips to point me in the right direction.

hey @Dave, thanks for posting!!

have you by any chance taken a look at the Netsuite Library App?? Manufacturing Control NetSuite Suite | Operations App Library | Tulip

once you install the App on your Instance, the Connector will also be imported and you can take a look at how @Sagar built the OAuth 2.0 Connector in Connector Details.

hope this helps, but also look forward to hearing how others have solved this!!

Hi Everyone,

With Tulip’s next release (r209), we have added an additional functionality that is required by Netsuite to refresh their access token. Due to this added functionality, Tulip will be able to successfully refresh the access token without users having to go through repeated authentication flow as described in the above post.

As a standard, NetSuite returns a refresh token that expires after 7 days. Tulip does not have any control over the longevity of the refresh token, hence depending on the duration of the refresh token, Tulip will fetch a new access token. Once the refresh token expires, users will have to re-authenticate their connector to get a new set of access & refresh tokens.

Thanks,
Sagar

This is great news. How can I tell which version of Tulip I have? As of today, I am still experiencing regular expiration of the OAuth2 tokens from NetSuite and have to retest the connector to get a new token. That’s obviously not suitable for a production application.
Is there anything special we have to do in our connector setup (or NetSuite integration definition) to leverage the new token refresh ability?

Hey @Lance! I’ll let @Sagar discuss what changes you may need to make to your connector but you’re currently on r209. You can determine this by going to your Account Settings page and looking at the bottom left corner.

Thanks @Grant! Look forward to hearing from @Sagar and getting this working.

Hey @Lance !

We did release an update to our OAuth 2.0 configuration where we send Authentication as a header in the refresh request to refresh the access token. With this, users wouldn’t have to re-authenticate their connector till the refresh token is expired (longevity of refresh token being 7 days).

Following changes would need to be applied on the NetSuite connector:

  1. Navigate to Connector Configuration
  2. Click on “Edit headers”
  3. There will be a toggle for " Send Authentication Header for refresh request", switch the toggle on
  4. Click Test.

I am attaching the screenshot as well

Let us know if you have any questions or concerns.

Thanks,
Sagar

1 Like

Thanks for the guidance. Do you have any screenshots of what the App user will encounter when the token expires and an operation they are trying needs the connector which can no longer authenticate? Is the recommended approach to use basic authentication so that App users do not encounter authentication requests?

@Sagar - I’ve successfully implemented a connector to NetSuite that uses OAuth2. After a period of about 7 days (didn’t measure precisely) the associated trigger fails to ever complete and ultimately locks the entire Tulip App. To resolve the issue I have to go into the connector definition and repeat the test process (reauthorizing through the NetSuite screens).
Is there any way to either:

  1. Recognize the authentication failure in the trigger and respond to it, or
  2. Automatically re-authenticate so no human intervention is required

The observed behavior is intolerable for a shop floor application and if this is a technical limitation I’ll have to consider how we rearchitect to avoid the use of connectors.

@Lance - Thanks for bringing this up. From how you describe it, it looks like your Netsuite connector is configured currently to use OAuth2.0(Admin) vs OAuth2.0(Operator). You can find more details around these modes here.

For OAuth2.0(Admin), in Tulip, you would have to re-authenticate the connector from the connectors page, just like you mentioned above.

Whereas, if you change your connector configuration to OAuth2.0(Operator), operators can re-authenticate the connector from the app itself when the refresh token expires.
Hope this helps.

Thanks,
Sagar

@Sagar - thanks! Looking at the reference you provided it appears that what I’m really after is OAuth2.0(Bearer). From the sound of it, this would allow me to assign a token direction which might (if NetSuite supports it) allow for a non-expiring token to be generated and used. Sounds like this approach could eliminate the need for a user or admin to re-authenticate. Am I understanding this correctly?