The Three-Step TBA Authorization Flow
As of 2019.2, you have the option to use a redirection-based authorization flow with token-based authentication. User credentials are not stored or entered into the application forms. Users enter user credentials into one of the following login forms as a part of the flow:
-
A trusted NetSuite login form.
-
SAML SSO identity provider’s login form
-
OIDC OP provider’s login form.
The redirection-based authorization flow consists of three steps. Click the following links for more detailed information about each step.
-
Step One Obtain An Unauthorized Request Token on the request token URL.
-
Step Two Authorize the Request Token on the user authorization URL.
Any authentication procedure relevant to a user (for example, a second-factor verification step) is included in this step of the authorization flow.
-
Step Three Exchange the Request Token for an Access Token on the access token URL.
With the TBA authorization flow, you begin the process to grant access tokens in your application. The request token URL generates an intermediate (unauthorized) request token. A user, for whom an access token is to be granted, authorizes the request token and explicitly consents that the application can access NetSuite data. If this step succeeds, the application exchanges the request token for an access token to be used when calling a RESTlet or a web service.
The administrator must create integration records for each application. See Create Integration Records for Applications to Use TBA. The administrator must configure the callback URL on the integration record. The underlying application must have the ability to open a browser, and must be able to handle callback URLs.
If the application does not have the ability to open a browser and handle callback URLs, continue using the issuetoken endpoint. If this is the case for your application, see The IssueToken Endpoint and Issue Token and Revoke Token REST Services for Token-based Authentication. A tokeninfo endpoint is also available to provide information about a user based on the access token. See Calling a token endpoint to obtain user information based on a token.