OAuth2 error - you do not have correct role to grant these permissions

contacts

#1

Hello,

We are encountering issues with OAuth flow when trying to authorize for the scope contacts:

The user that's trying to authorize has the necessary permissions, but OAuth refuses its' access. Can you please help us with this issue ?

APP ID: 57457
Hubspot ID: 2697014

Thanks!


I do not able to authenticate with OAuth if i have admin access
Discover Org Webhook - Request for Integration Permissions error
Hubspot OAuth integration requires admin approval but user is already an admin
#2

This is a commonly misunderstood error when it comes to OAuth2 and HS integrations. I am only now starting to fully understand why this happens after speaking with HS devs for the past 3 days.

You might notice that a Super Administrator of a portal can successfully connect to your integration and an admin or regular user with the right permissions would receive this error.

That's because Super Admins can install any app into any portal, no matter the scope requirements.
However, if the portal doesn't support one of your scopes, then any other user than Super Admin will receive this error.

Here's an example:

  • My integration requires the content scope
  • A super admin of a HubSpot free plan can successfully Auth into my integration, even though HubSpot free accounts don't come with Landing Pages or Websites. This should make the scope permissions for a super administrator invalid, but it doesn't... they can connect anyway because scopes are ignored on the super admin level
  • Next, a user for the same portal with ALL permissions turned on but not a super admin, will reach this error. This is because the scopes are failing because the portal configuration doesn't allow for the content scope

Bottom line is: Super Admin can install any integration they want, without worrying about scope. Any other user needs to have the correct scope.

It's important to remember that just because all the permissions of a user are turned on to give them access, doesn't mean they have the right scopes. The portal configuration needs to be considered as well.

tim@belch.io


#3

So we end up rewriting our integration for Hubspot users. Lets say a team wants to integrate their Hubspot to our app. We ask their Hubspot super admin to do the OAuth for the whole team in our app. Then everyone in the team inside our app will use the same auth token and refresh token from the super admin. This is our solution for Hubspot and it is very different than Salesforce OAuth. For Salesforce OAuth, we allow anyone in the team to do the OAuth themselves and we use their own token to talk to Salesforce APIs.


#4

You're absolutely right @Angelo_H - I left that part out of the post to prevent information overload but, you rewrote the integration the way HS intends you to do it.

The mistake a lot of us are making is that we assume the OAuth is supposed to behave like a "Single Sign-on", which just isn't the case. They expect you to have your own authentication system and method of linking multiple users to a single portal, then use the Super Administrators tokens to go back and forth from/to the API.

I'm not entirely convinced on doing a rewrite yet to accommodate this behavior for our integration but, I am starting to lean that way unless they give us a little bit of hope that this could be treated more like a single sign-on. For us, we don't have any other authorization process in place other than the HS OAuth so it's a really big feature we will have to build out. (Meaning, login with your HubSpot account, or else you can't use our integration at all)


#5

Thanks for your answer Tim !

There is just one thing that doesn't really make sense in that situation: the users encountering this error during OAuth do have the necessary rights to consult and update contacts when they're using the Hubspot GUI. How come that they aren't able to obtain the same permissions using OAuth? Would that be related to the app configuration rather to the portal configuration ?

Nikola


#6

Hello again,

Could someone from Hubspot clarify this situation please ? When we contacted support we were suggested to write at the forum, but we are still unable to understand what is happening...

Thanks!


#7

Hi Hubspot Developers,

I am also very interested in getting an answer to this. Do you have any input?

Thanks!

Elin


#8

Hi all,

There are a couple things to consider here. Tim did a great job breaking down how the integration installation process works, but there are a few caveats I want to address here:

  1. The existing OAuth system is not designed to act as a user-level auth process, nor is it intended to provide an authentication system for an external app. The system is intended to allow a single user to approve an app for an entire portal. I'll cover some additional details below.
  2. There is an ongoing issue that affects Marketing/CRM Free portals where only Super Admins are able approve the contacts scope. Users in Marketing/CRM Free portals with all the appropriate permissions in-app will currently not be able to approve the contacts scope because of this issue. This may or may not play a role in the individual issues you're seeing (specifically, situations where it appears that a user has all the right scopes).
  3. The only way for me (or another HubSpotter) to effectively diagnose why the OAuth flow is failing is if we receive the following information:
    • The scopes the integration is requesting in the authorization URL (not the scopes checked off in your developer portal)
    • The Hub ID of the portal where the app is being installed
    • The email/userId of the user completing the installation flow
  4. Without the above information, it's extremely difficult to diagnose why a particular authorization failed. Because the authorization flow should only be occurring once per portal, it's almost always easier to direct a user to have a Super Admin install the integration. Once the auth flow is completed, the resulting refresh/access tokens can be used to authenticate all requests being made for that portal.

#9

Hello Derek,

Thanks for that additional explication, the behavior we are experiencing is exactly what you are describing in the point 2.

I will get all the details required for diagnosing the problem, but at least we understand what exactly is going on.