How to create an access token from within an Azure Function


#1

I'm new to HubSpot API and I'm having a hard time with the most basic of things, authentication. I currently have 2 Azure Functions running in my environment. The first is a simple WebHook that's registered in HubSpot. The app triggers my webhook whenever the appropriately defined subscription is hit. That all works, my second trigger pulls the newly created queue item and I want to use the Id stored from HubSpot to pull in additional fields, like email if a contact, etc... Any ways, I can't seem to properly format my HttpClient object because I keep getting errors galore.

I then went to Postman and tested the entire process there. After finally resolving the BAD_REDIRECT_URI problem that kept persisting I was able to create a code from my HubSpot Client Id, Client Secret, Redirect Uri, and of course setting the grant_type=authorization_code. I then in turn used the returned code to successfully create an access_token and a refresh_token. So i know it all works as a 2 step process. However, I can't seem to yield the same results in my Azure Function.

Is there anyone out there that can help me using C# and Azure? I read somewhere on this site that HubSpot actually states to just use the HAPIkey instead of the Client Id and Client Secret, while some have stated that this isn't possible when trying to access some parts of the API....help?


#2

Hi @LastExile,

While I'm not particularly familiar with Azure, at a high level the authentication process is the same regardless of your implementation. During which part of the process are you running into issues?


#3

Thanks for the reply. I'm not sure I'm doing this correctly. I'm trying to interact with the HubSpot Api via an Azure Function, or Microservice. I realize that the authentication process using the Client Id and Client Secret is a 2 step process.

  1. Initiate a request: https://app.hubspot.com/oauth/authorize?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&scope=contacts%20automation&redirect_uri=https://www.example.com/

The user or me has to authenticate, the redirect url is the authenticated url and must be referenced in call number 2....Call number 2 for me works just fine now that I've figured out how to format it correctly but it requires that i have the code from my initial request. However again since it's a cloud based service with no user interaction i'm not sure how to hijack the redirect in order to correctly obtain a newly minted code that I can in turn assemble into request 2 for a obtaining a valid access token.

  var grant_type = "authorization_code";
  var redirect_uri = "https://app.hubspot.com/somesite";
  var formContent = new FormUrlEncodedContent(new[] {
            new KeyValuePair<string, string>("grant_type", grant_type),
            new KeyValuePair<string, string>("client_id", clientId),
            new KeyValuePair<string, string>("client_secret", clientSecret),
            new KeyValuePair<string, string>("redirect_uri", redirect_uri),
            new KeyValuePair<string, string>("code", "[Auth Code From Step 1]")
        });
  var response = await httpClient.PostAsync(baseUrl + authString, formContent);
  var content = await response.Content.ReadAsStringAsync();

  if (response.IsSuccessStatusCode) {
    log.Info("Success");
  } else {
    log.Info("Failure");
  }

  object responseData = JsonConvert.DeserializeObject(content);

  if (responseData != null) { // return the Access Token.
    AccessToken = ((dynamic)responseData).access_token;
  }

I heard that i was suppose to just use the HAPIkey instead but then read that using the HAPIkey doesn't give you access to everything. I understand the process that has to take place but i'm new to HubSpot and new to accessing an Api via a Microservice. I was hoping you could help me out with the correct process for cloud hosted related authentication using the client id/secret method if possible.


#4

Hi @LastExile,

I understand; this is a fairly common problem for folks first getting started with our OAuth flow. The key thing to remember is that the authorization flow will always require an initial user interaction, no matter what the integration actually does. The authorization flow is conceptually similar to installing an app on your phone:

  1. First, you initiate the auth flow:
    • In our phone app example, this occurs when a user clicks 'Install' in the app store
    • When authorizing a HubSpot integration, this occurs when a user navigates to your authorization URL
  2. Next, the user needs to approve the permissions that the app is requesting
    • In our phone app example, this occurs when the user is presented with the permissions the app needs & clicks 'Confirm'
    • When authorizing a HubSpot integration, this occurs when a user selects their portal and approves the scopes
  3. Finally, the installation process is complete, and the user is redirected to the app (in our phone app example) or to a redirect_uri (when authorizing a HubSpot integration). The user can now use the app.
    • In our phone app example, the app now has the permissions it requested and can function normally. With regard to authentication, the app does not need any further user interaction.
    • When authorizing a HubSpot integration, the user is redirected to the redirect_uri. The integration now has everything it needs to obtain access/refresh tokens, and no longer needs any user input to function.

Both Hapikey and OAuth authentication requires some user intervention in order to start. If using hapikey authentication, a user needs to actually give you their hapikey. With OAuth, the user must complete the installation flow. After this initial interaction however, neither authentication requires user intervention.

The following article digs a bit deeper into how exactly this flow works; the HubSpot OAuth flow is the Authorization Code Flow: