Issue with OAuth Scopes

stevenlu · 2018-07-09 16:32:50 UTC

We're having a plethora of users experiencing OAuth connection issues because they do not have the proper permissions to authenticate.

"You do not have the correct role to grant these permissions. Please contact your administrator"

Before, as long as you had all permissions to "contacts" you were able to connect. It now only seems that super admins can connect.

Is this intended behavior?

ar-hz · 2018-07-12 13:34:08 UTC

experiencing the same issue as well.

Derek_Gervais · 2018-07-20 19:37:16 UTC

Hi @stevenlu and @ar-hz,

Couple things here:

A user needs full read/write permissions for all contacts; does the user in question have this? Often folks have full read/write permissions to contacts they own, which can cause some confusion.
Make sure the user in question has lists permissions as well. This permission is listed under the marketing tab in the user permissions screen, which means it's often missed.
There's currently a known issue with the contacts scope where certain app/portal combinations cannot be approved unless the user is a super admin. If you've checked the above and you're still experiencing issues, this might be the problem. The most immediate solution while this issue persists is to have a super admin approve the integration instead.

Feel free to reach back out with the Hub ID(s) and user names of the affected portals if you want me to investigate whether or not the portals are affected by the known issue I mentioned above.

stevenlu · 2019-01-15 20:18:04 UTC

@Derek_Gervais,

The issue still persists for some hubs including our test one.

Hub ID: 3804916
User: tacticalazn@gmail.com

The user has full access to all of the contacts, has list permissions and the super admin has also added/approved the integration.

Isaac_Takushi · 2019-01-23 16:50:22 UTC

Apologies for the delayed response, @stevenlu.

If this account's super admin has already connected the app, then where/why is the tacticalazn@gmail.com user experiencing this error?

I've only ever encountered that error in the OAuth connection flow, so if the app has been successfully connected, a non-super admin shouldn't have to touch it.

stevenlu · 2019-01-25 16:18:39 UTC

Hey Isaac,

We require all of our users to connect their own HubSpot account to their own Interseller account. It helps assign the lead ownership associations when leads are sourced from Interseller.

Isaac_Takushi · 2019-01-28 21:43:53 UTC

Thanks for clarifying, @stevenlu.

It sounds like you're trying to have each user authenticate the Interseller app, however OAuth app's are installed account/portal-wide.

Per this post, a single user (in this case a super admin) authenticates the app and it then functions for all users. It's currently not possible to create user-specific apps via the HubSpot APIs or have individual users authenticate an app that has already been connected by a user in the account.