OAuth2 redirect URI can now be served over http if the host is localhost

oauth

#1

What’s happening?

Beginning immediately, HubSpot will allow a redirect URI to be served over http in an OAuth2 redirect flow if the host is localhost. This change allows for faster and more lightweight testing with OAuth2, eliminating the need for self-signed certificates. This change is intended for local development and testing; apps in production must continue to serve their redirect URI over https.

When is this happening?

HubSpot will begin allowing http redirect URIs from localhost immediately. All other hosts will continue to require a redirect URI served over https.

Please don't hesitate to post in this topic with any questions or concerns regarding this change!


OAuth testing on localhost results in "redirect_uri must use https"
#2

Hey there. I use subdomains in several multi-tenant applications that I'm developing to scope customer/user accounts (like basecamp). So in development, I need to be able to send the user back to company-a.localhost, company-b.localhost, company-c.localhost, etc.

HubSpot still throws the 'redirect_uri must use https for security reasons' error if you put any type of subdomain in there.

You should allow subdomains in the redirect uri for localhost/http.

You should also consider allowing for lvh.me as well - its an alias for localhost that developers use when developing multi-tenant applications that use subdomains.

But mainly just allow for the subdomain to be present.


#3

Here's the workaround I had to do. If anyone has a multi-tenant Rails application, this should do the trick for you (in routes.rb):

  # Hubspot doesn't allow subdomains in http/localhost whitelist redirect uri
  # So as a workaround, we pass the subdomain as a parameter instead
  unless Rails.env.production?
    get 'hubspot/authorize_dev/:subdomain/', 
      to: redirect { |params, request|
        "http://#{params[:subdomain]}.lvh.me:3000/hubspot/authorize/?code=#{params[:code]}&error=#{params[:error]}"
      }
  end
  
  get 'hubspot/authorize', to: 'hubspot#authorize', as: 'authorize_hubspot'