Get owners API throws 403 forbidden

smaity · ‎Aug 29, 2018

Dear group members,
Need your help on this OAuth issue.

We have done integration with hubspot and most users is working, we are mostly interest on contact scope, our hubspot app has following scope:

Basic OAuth functionality
Files

When we authorize and get token we use:
scope=files&optional_scope=contacts

Get owners throws 403 forbidden with this access token, particularly for few users rest is working fine.
API call: https://api.hubapi.com/owners/v2/owners?email=xxxx

Response code:
403 forbidden
Response body:
This oauth-token (******) does not have proper scope group permissions! (requires all of ids [1])","correlationId":"*","requestId":""

Question:
All the users under the account has same access: Contacts, Sales, Marketing.

is there any relations between user's access and application scopes? Could anyone please explain?
Is there any way we can identify that particular user has missing access permission thats why get owners throws 403?

-Thank You

Derek_Gervais · ‎Oct 19, 2018

Hi @smaity,

An important thing to consider here is that integrations are always portal-wide . This means that a single user authorizes an integration, and that integration can then function for the entire portal . The OAuth2 flow should be thought of as installing an app to your portal; one user (an admin) needs to approves the app, and 'install' it to the portal. After that, the integration provides some user-independent functionality to the portal. It's not possible to create user-specific integrations using the HubSpot APIs, so there shouldn't ever be situations where more than one user needs to complete the OAuth2 flow for a single portal.

Knowing this, there shouldn't be a scenario where you're having multiple HubSpot users authorizing an integration. Only a single user needs to approve the integration. If that user is a Super Admin, they should be able to successfully approve the integration, and the resulting credentials can be used for all requests to the portal.

smaity · ‎Oct 19, 2018

Thank You, Derek,
We understood what you mention but still have more question on that matter.
I have 2 users both are non admin under same portal (4099090)
user1: subhendu.maity@vonage.com

user2: subhendu.maiti@gmail.com

When user1 login OAuth flow show permission to access contact scope, but for user2 permission to access contact scope is not there.
What is the difference between these 2 users and showing different permission scope?

Derek_Gervais · ‎Sep 20, 2018

Hi @smaity,

The portal you linked to is a Marketing/CRM Free portal; this is a known issue (see below).

smaity · ‎Oct 15, 2018

Hi Derek,
We just little bit puzzled why one user is getting 403 for get owners and others dont for same portalid/account.
As you said, Super Admin authorize your integration should solve this problem. How we do that in this scenario?
Here is an example, what we suspect is wrong during oAuth.
Good User: TM

Bad User(got 403 on get owners):

Please let me understand correctly what your solution mean by "Super Admin authorize your integration" in this scenario.
-Thank You

smaity · ‎Sep 20, 2018

Hi Derek,
Thanks a lot for your response!
do you mean the user who is getting 403 he must have Super admin access?
Here is 2 example user under same portal, user1 is getting 403 but user2 is fine.
My question is why some user is working fine and few users are getting 403 for same portal?

Derek_Gervais · ‎Sep 11, 2018

Hi @smaity,

Can you give me the Hub ID of the portal in question? If you anticipate always needing access to the Owners API, I'd recommend making the contacts scope required.

smaity · ‎Sep 11, 2018

Hi Derek,
Thank You for looking into this issue.

Hub Id: 4099090
Under this hub id, most users can access owners API but some users not, even though they have identical permissions.

As free (non enterprise) user may not have access on contact scope and we dont have control their access/permissions, thats the reason we dont wanted to keepcontacts scope required.

initially we had contacts as required scope, then we face issue with few users were getting scope mismatch issue hence we move contacts scope optional.

Much appreciate if you can provide some detail guidance for this issue.

-Thank You

APIs & Integrations