APIs & Integrations

Search APIs & Integrations for solutions or ask a question
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Derek_Gervais
HubSpot Alumni

‎Mar 5, 2018 4:43 PM

HubSpot Alumni

OAuth2 redirect URI can now be served over http if the host is localhost

What’s happening?

Beginning immediately, HubSpot will allow a redirect URI to be served over http in an OAuth2 redirect flow if the host is localhost. This change allows for faster and more lightweight testing with OAuth2, eliminating the need for self-signed certificates. This change is intended for local development and testing; apps in production must continue to serve their redirect URI over https.

When is this happening?

HubSpot will begin allowing http redirect URIs from localhost immediately. All other hosts will continue to require a redirect URI served over https.

Please don't hesitate to post in this topic with any questions or concerns regarding this change!

Announcements
2 Replies 2
Greg_Blass

‎Sep 27, 2018 7:15 PM

Member

OAuth2 redirect URI can now be served over http if the host is localhost

Hey there. I use subdomains in several multi-tenant applications that I'm developing to scope customer/user accounts (like basecamp). So in development, I need to be able to send the user back to company-a.localhost, company-b.localhost, company-c.localhost, etc.

HubSpot still throws the 'redirect_uri must use https for security reasons' error if you put any type of subdomain in there.

You should allow subdomains in the redirect uri for localhost/http.

You should also consider allowing for lvh.me as well - its an alias for localhost that developers use when developing multi-tenant applications that use subdomains.

But mainly just allow for the subdomain to be present.

0 Upvotes
Greg_Blass

‎Sep 27, 2018 10:44 PM

Member

OAuth2 redirect URI can now be served over http if the host is localhost

Here's the workaround I had to do. If anyone has a multi-tenant Rails application, this should do the trick for you (in routes.rb):

  # Hubspot doesn't allow subdomains in http/localhost whitelist redirect uri
  # So as a workaround, we pass the subdomain as a parameter instead
  unless Rails.env.production?
    get 'hubspot/authorize_dev/:subdomain/', 
      to: redirect { |params, request|
        "http://#{params[:subdomain]}.lvh.me:3000/hubspot/authorize/?code=#{params[:code]}&error=#{params[:error]}"
      }
  end
  
  get 'hubspot/authorize', to: 'hubspot#authorize', as: 'authorize_hubspot'
0 Upvotes
Sunny

Sign up for the Developer Newsletter

Fresh content delivered to your inbox every month.
OAuth2 redirect URI can now be served over http if the host is localhost
Developers
Sep 27, 2018