Optional Scopes and "You do not have the correct role to grant these permissions."

oauth

#10

@mattstitch Just out of curiosity does it work if you remove it from the call? The state is not a supported parameter on our calls.


#11

@pmanca I believe removing the state query param has no effect.

https://app.hubspot.com/oauth/<portalid>/authorize?client_id=<reacted>optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts

^ that URL still results in

Uh oh!
Insufficient scopes were provided. Please contact the integrator.


#12

@mattstitch Can you print out the full error from the console?


#13

@pmanca No problem. When attempting to authenticate our HubSpot app through a test portal, our application directs a user to:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<client-id>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts

On that page, I believe this failing XHR is the important one – a POST request to

https://api.hubapi.com/oauth/v1/application-authorizations?portalId=<portal-id>&clienttimeout=7000

which returns a 400 with this response body:

{
  "status": "MISSING_SCOPE_GROUP",
  "message": "client requires more scopes",
  "correlationId": "dbcbe0ab-1bf3-4ed8-be38-1e9dce75f302",
  "requestId": "65a70a56b5e5b21931fd40f340e0aa76"
}

Here is the POST body:

{
  "clientId": "<client-id>",
  "hubId": <portal-id>,
  "optionalScopes": [
    "content",
    "reports",
    "automation",
    "forms"
  ],
  "redirectUri": "<callback-url>",
  "responseType": "code",
  "scopes": [
    "contacts"
  ]
}

It looks like the query parameters from the initial request are being properly ferried to the /application-authorizations endpoint. It’s not clear what additional scopes are required – the only one I required (contacts) was the only non-Marketing one.


#14

@mattstitch If you check any of the below scopes then they need to be required scopes. Your requests are correct but you might need to change your app settings. Any optional_scopes must be handled in your code and not through the app.

Your code is asking it as an optional scope but your app settings are overriding it as a required scope.


#15

@pmanca Ah, I think I finally understand. Our HubSpot app settings need to define the minimum set of scopes that our app requires. The optional_scope param can be used to request additional scopes. I don’t think I realized that the app settings needed to match the scope param in the OAuth authorization URL.

Concretely, our app settings should only have Contacts checked, and then our users will authorize our app at this URL:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<client-id>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts

which will give us permission to access the optional scopes as well: Content, Reports, Automation, and Forms. If the user’s HubSpot portal does not support any of those optional scopes, our app will of course not be able to access those resources, but for Marketing HubSpot users, our app will have access.

Am I understanding correctly?


#16

@mattstitch yes that sounds correct to me. Let me know if that works please


#17

@pmanca That appears to have worked – I was able to successfully authorize the app with a non-Marketing HubSpot portal. Thanks for your patience in clarifying that issue for me and my team.


#18

I am having a similar problem with a customer’s account (I don’t have direct access). Our app requests for “content”, “reports”, “social”, “automation”, “forms” as required scopes and “contacts”, “timeline”, “files” as optional scopes. All the scopes are requested via oauth call and not through settings (all the scopes are unchecked in settings)

This worked with the demo account and our own accounts but when a marketing only account try to go through the oauth flow the customer is getting “you do not have the correct role to grant these permissions”.

Where do we go from here to fix the problem?


#19

@Ka-Hing_Cheung That error might be occurring if the person trying to install the app does not have administrator permissions on the portal to do so. That sounds more like a permissions issue then a scope issue.


#20

Where is that permission setup? The user is both “marketing administrator” and “account administrator”. In the other instance the user is just “marketer”


#21

@Ka-Hing_Cheung It is the portal settings under the roles and users.


#22

Could you be more specific? Like I said, one of the accounts is “marketing administrator” and “account administrator” already.


I cannot find my application id for my main domain (DO NOT RUSH TO ANSWER)
#23

Is the portal you are trying to install it into a Pro or Enterprise portal? As they would need workflows for the automation scope.


#24

This is from our customers so I don’t know the answer to that, but I can ask. Could you tell me where they would see if they have “workflows for the automation scope”?


#25

@Ka-Hing_Cheung You need to figure out if they have the Pro or Enterprise version of HubSpot.


#26

Hi,

I’m trying to get Oauth to work with my Enterprise level portal. This is the URL I’m using but it always returns the error ‘Insufficient scopes were provided’.
In the app, every scope is ticked bar ‘social’.

Can anyone see what I’m doing wrong?

https://app.hubspot.com/oauth/authorize?client_id=CLIENTID&scope=contacts%20content%20reports%20automation%20timeline%20forms%20files%20hubdb%20transactional-email&redirect_uri=https://www.hubspot.com

#27

Hi @pmanca ,

I am the Super Admin for my test portal which is a Sales Free and Marketing Enterprise.

I am trying to install a custom integration and provided all the scopes which were selected in the app's details page.

https://app.hubspot.com/oauth/authorize?client_id=xxxxx-xxxx-xxx-xxxx-xxxx&scope=content%20forms%20automation%20hubdb%20transactional-email%20contacts%20reports%20social%20timeline%20files&redirect_uri=https://www.yyy.com

I am ended up with Uh oh! You do not have the correct role to grant these permissions. Please contact your administrator.


#28

@Vamsivinay119 Is the portal you are installing this into have all of the products that you are requesting access to? You could be an admin but if you're portal doesn't have workflows then it will through an error when you try and install an app that is requesting access to it.


#29

Hi @pmanca This issue is solved. I figured out the scopes needed and it worked. Thanks.