We're experiencing an issue with an integration customer who has not been able to sync using the oauth2 system for two of their three tenants. One of them is syncing correctly and without issue, but the other two return the following:
[403] Client error: GET https://api.xero.com/api.xro/2.0/Accounts resulted in a 403 Forbidden response:
{"Type":null,"Title":"Forbidden","Status":403,"Detail":"AuthenticationUnsuccessful" (truncated...)
Initially we assumed it was a straightforward auth issue, however their access tokens are able to be refreshed without error. All three tenants have the same scope settings:
"scope": [
"email",
"profile",
"openid",
"accounting.settings",
"accounting.transactions",
"accounting.contacts",
"offline_access"
]
And I can confirm that their tenant id is being passed to the SDK method (getAccounts, in this case) properly. Disconnecting and reconnecting did not help.
This seems to be a fairly common issue but none of the solutions I've found for it apply in our case. That I've been able to tell, at any rate.
So we managed to resolve this. As it turns out, the user had disabled our integration from their side (Xero provides the option of revoking authorization from within Xero), giving them the appearance of still being connected to us but no longer having authorization to use the two tenants.
Something to note (which caused some confusion) is that the access/refresh token authentication with OAuth is separate from the tenant-by-tenant authorization for Xero, which is what allowed us to keep refreshing access without being able to use that access.