15.10 External Applications

This ~~vtenext~~functionality ~~function,~~of vtenext, located in Settings > External ~~Applications,~~Applications, allows ~~you~~external services to ~~configure~~connect to the CRM asusing anthe OAuth2 ~~Server,~~authorization ~~enabling other applications to connect directly to vtenext.~~protocol.

Configuration ~~screen~~page for External ~~Applications~~applications

~~So how~~How does it ~~work~~work? ~~exactly?~~External services, here called External Applications, connect to vtenext via REST API, passing a access_token to authenticate. This token is provided by vte via the OAuth2 ~~provides~~protocol, ~~authorization~~using ~~flows~~one ~~that allow external applications to access~~of the ~~CRM~~2 ~~using~~avaialble ~~tokens.~~flows. ~~These~~Let's ~~tokens enable applications to send requests so that the CRM provides the requested data and sends it back to the requesting application. Below is~~see an ~~explanatory image:~~example:

This ~~depicted~~ flow is called Client ~~Credentials.~~Credentials ~~There~~and there are ~~three~~3 ~~parties involved:~~parties:

Application (~~e.g.,~~for aexample ~~Management~~an ~~System)~~
ERP)
Authorization ~~Server (often equivalent to point 3)~~

~~Data~~ Server (in ~~our~~case ~~case,~~of ~~vtenext)~~

vtenext, it's the same as the point 3) Resource Server, the server containing the data to be retrieved (vtenext in this case)

~~In practice,~~Briefly, the Application (~~which~~eg: ~~could~~ERP bereading aInvoices), ~~Management System that needs to read invoices from vtenext) requests an access key (Client ID and Secret Key) from~~asks the Authorization Server tothe ~~access~~Access Token, sending the ~~Data Server. In our example, vtenext generates the key~~ pair (Client ~~ID and~~ID, Secret Key) ~~and~~to ~~provides~~authenticate ~~them~~itself. If the credentials are correct, an Access Token is given to the ~~application,~~Application, ~~which~~that ~~uses~~can ~~them~~be used to ~~request~~retrieve information from vtenext via REST API.

An example of REST API call with access ~~from~~token ~~the~~is:

~~Authorization~~

curl Server-X (whichPOST is'<VTE_URL>/restapi/v1/vtews/query' also\
  vtenext).-H The'Content-Type: Authorizationapplication/json' Server\
  then-H grants'Authorization: theBearer Application<ACCESS_TOKEN>' a\
  Token,-d allowing'{"query":"SELECT it* toFROM read invoices directly from the CRM.Invoice;"}'

The advantage of access tokens is that ~~the~~they ~~access Token has~~have a limited ~~duration,~~time ~~can~~validity be(usually ~~revoked~~1 ~~server-side,~~hour) and ~~enables~~it's ~~controlled~~revokable server side, so it's possible to allow access to ~~applications.~~external ~~Most~~apps ~~importantly,~~in ~~system~~a ~~passwords~~controlled ~~are~~way, ~~not~~without ~~disclosed~~providing ~~or shared. Naturally, when~~them the ~~Token~~main ~~expires,~~password. After the token expiration it's necessary to obtain a new ~~one must be generated by~~one, repeating the ~~above-mentioned~~ procedure.

This flow is recommended for communication between 2 servers, without human intervention after the initial configuration

~~OAuth2 Authorization Code Flow~~

The second ~~type of~~ flow is called ~~OAuth2~~ Authorization ~~Code.~~Code ~~This~~and ~~flow~~it involves an additional ~~element,~~party, ~~which we will identify as~~called the User.

~~Example~~In ~~Scenario:~~

this

~~Let's~~example, ~~assume~~the Application that the application connecting to vtenext this time is Facebook, which needs to read Leads stored in vtenext. However, Facebook is linked to a User who is the requester of this data. This means the user is actually asking Facebookwants to connect to vtenext is, for example, Facebook, that needs to ~~retrieve~~reads the user's Leads.

InThe difference is that it's not Facebook directly that requires this ~~case,~~data, but the ~~User~~user ~~also~~delegates ~~has~~Facebook anto ~~account~~access his own data present in vtenext. The ~~goal~~objective is ~~for~~then to provide Facebook with this data, without giving it the ~~User~~user's full credentials (password) to ~~grant~~the system. So Facebook ~~permission~~will ask the user to ~~read~~obtain ~~Leads~~an ~~from~~authorization ~~vtenext.~~code, ~~This requires authentication from the User on vtenext, which will~~exchanged then ~~respond to~~by Facebook with an ~~OAuth2~~access ~~Authorization~~token, ~~Code.~~used then to retrieve the data. The access token can be used once only, or renewed automatically (if the user granted this type of access).

So, even though Facebook ~~will~~got ~~use this Auth Code~~access to ~~request~~Leads ain ~~temporary Access Token from the Authorization Server, finally allowing~~vte, it tonever read the ~~data~~user ~~from~~password and after the ~~CRM.~~expiration of the access token, it won't have access anymore.

This flow is recommended when the application needs to ask user's permission to access the data.

~~Key~~General ~~Benefits:~~configuration

At the beginning of the page, there are some general settings::

Enable
~~Facebook~~OAuth2 ~~gains~~access: enable or disable globally the use of OAuth2 protocol. If disabled, no external app can use the REST API with an access token (standard authentication via access key is allowed)

Allow users to ~~vtenext~~view ~~Leads~~and ~~but does not store~~change the ~~User'~~secret key of apps associated to them: if active, non admin users can see and modify the secret key for applications linked to their user in the user's ~~credentials.~~ page Allow

~~After~~connections ~~approximately~~with ~~one~~admin ~~hour,~~users: ~~the~~if ~~access~~enabled, ~~expires,~~external ~~keeping~~apps ~~sensitive~~can ~~data~~connect ~~secure.~~

with an admin user

Service Account Configuration

Click on the button ADD on the right

~~Steps to configure a Service Account:~~

Click on the ADD button on the right.
A wizard screen appears to guide the configuration process.
Select the Client Type, choosing between:
- Web or Mobile Application (if access requires user login)
- Service Account (if access occurs in the background between two servers)

To configure a Client Credentials flow, select:

Key Type = Service Account
Secret Type = Secret Key

Additional configuration fields will then appear:

Configuration details:

Name: Assign a descriptive name to the configuration (e.g., connection to a management system).
Client ID & Secret Key: These are auto-generated.
Scope: Define the level of ~~data~~API access (read-only, write-only, or read/write).
User Association: IfAll ~~read/write~~operations ~~access~~done isin ~~chosen, only data belonging to the selected user~~vte will be ~~accessible~~executed ~~(based~~as onthis ~~the~~user. ~~user’s~~Of ~~permissions).~~course, Ifvisibility ~~full~~rules ~~access~~apply isaccording ~~needed,~~to anrole ~~Admin~~and ~~user~~profile ~~should be selected.~~configuration.

By providing the Endpoints, Client ID, and Secret Key to the external system’s technician, the connection can be finalized.

For JWT signed authentication, the Secret Key is not a simple string, but a cryptographic key in PEM or JWK format, generated only after saving the configuration.

Web or Mobile Application Configuration

~~Steps to configure Web or Mobile Application:~~

Click on the ~~ADD~~button ~~button~~ADD, on the ~~right.~~right

~~The~~You ~~wizard~~are ~~screen~~presented ~~appears~~with ~~again.~~

the same wizard,

~~Select~~but this time choose Web or ~~Mobile~~mobile ~~Application~~application. asSo we get the ~~application type.~~following:

Application Type Options:

Web Application: For browser-based applications.
Native or Single Page App: For mobile or native ~~apps.~~apps (same as Web Application, but the OAuth2 flow requires PKCE).

For a Web Application, the configuration follows a similar process to the Service Account setup:

Client ID & Secret Key are generated.
Define the Scope (read-only, write-only, or read/write).

Offline Access:

By enabling Offline Access, ~~instead~~together ~~of expiring after a set duration,~~with the ~~Token~~access ~~remains valid indefinitely. The server will issue~~token, a refresh token, ~~allowing~~is ~~the~~returned, ~~application~~that can be used to ~~renew~~automatically obtain a new access token after its ~~access without requiring user re-authentication.~~expiration.

Redirect URL Configuration:

After logging into vtenext, the User is redirected back to the requesting application (e.g., Facebook).
Access control settings allow restricting access to All Users or Selected Users/Groups.

Authorization Screen Customization:

The authorization request screen (e.g., "Facebook wants to access your vtenext data. Do you authorize?") can be customized with:
- Name
- Description
- Icon

~~Managing~~From ~~Registered~~the ~~Applications~~

settings

~~From~~page, Settings > External Applications, ~~all~~it's possible to see the list of registered applications ~~are~~and ~~listed.~~deactivate them or revoke all the active tokens:

In this list it's possible to see ~~Managing~~Expired ~~Application~~tokens. ~~Access:~~In case of expired tokens the user will have to re-authenticate to obtain new ones. On the right some tools are present:

~~Revoke~~ ~~Access:~~ ~~If, for example, Facebook no longer needs access to vtenext, you can disable access by clicking~~edit the ~~green checkmark in the list.~~configuration
~~Token~~ ~~Expiry:~~revoke ~~Expired~~all ~~or inactive~~access tokens ~~appear in the list. Users must log in again to renew them.~~

~~Available Actions:~~

~~Edit Configuration~~

~~Revoke~~ ~~All~~remove ~~Tokens~~

the external application

~~Delete Configuration~~configuration

Linked Applications in User Preferences

In User Preferences, under Linked Applications, users can view all applications associated with their account.

View Configuration Details: Users can see (but not modify) the configuration unless they are Admins.
Disable or Revoke Tokens: Users can manually revoke ~~application~~access ~~access.~~tokens.