Permissions Error when using API - Campaign

oauth

#1

Hi,

We are receiving the below error when we attempt to retrieve some information from the campaign entity in Hubspot Marketing to display in our MSDCRM system. We are using KingswaySoft as an integration connector.

The issue appears to be with permissions, but the user in question is a ‘superadmin’. We have tested the functionality on the public test account and it works fine there, so we have concluded that there is a permissions issue in our portal.

Can you please advise?

[HubSpot Source [2]] Error: An error occurred with the following error message: "rhj: The remote server returned an error: (403) Forbidden. (Error Type / Reason: Forbidden, Detailed Message: {“status”:“error”,“message”:“This oauth-token (xxxxxxxxxxxxxxx) does not have proper permissions! (requires any of [email-access])”,“correlationId”:“xxxxxxxxxxx”,“requestId”:“xxxxxxxxxxxx”}) (SSIS Integration Toolkit for HubSpot, v4.0.0.591 - DtsDebugHost, v14.0.500.272)System.Net.WebException


#2

For reference the user in question has the below permissions.


#3

Hi @Henry_Lamborn,

That error message isn’t referring to the user’s permissions, but rather the scopes of the Oauth token being used to make the request. It appears that when the token was generated, the email-access scope wasn’t requested (see below). Do you have any more information on the scopes that KingswaySoft is requesting when initiating the integration?


#4

I am forwarding this query to Kingswaysoft support however their HubSpot component is working perfectly fine with the HubSpot test account. I am using following hubspot test account.

Username: testapi@hubspot.com
Password: *******
Hub ID: 62515

If the issue is due to the scope that KingswaySoft is requesting then it should not work with HubSpot test account too.


#5

“Reply from KingswaySoft”

Hi Irfan,

Please check the scope we are using below when authorize the OAuth token.

scope=contacts&optional_scope=content reports social automation timeline forms files hubdb transactional-email

As you can see, we have content scope included which is the scope for Email and Email Events APIs.

Hope this has helped, please feel free to let us know if there is anything we can help with.

Thanks and Regards,

Chen Huang
KingswaySoft Inc. | http://www.kingswaysoft.com | @kingswaysoft
Toll-Free: 1.855.KingswaySoft (1.855.999.5288)
Phone: 1.289.999.5288
Follow us on Twitter | LinkedIn | Facebook | Google+ | YouTube


#6

Hi,

we have done further investigation with the help of KingswaySoft and when we use HubSpot endpoint to check the oath token scope;

https://api.hubapi.com/oauth/v1/access-tokens/CMrE4dznKxICAQEY5aAxxxSwgwIozuABCccAQvuSE7RVr9Mj7OrCrESJmbNKd7OkL_Sm

i.e.

https://api.hubapi.com/oauth/v1/access-tokens/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
simply replace the xxx-xxx with the access token value you get in the error message to check the scopes the token included.

we getting following result back;

{“token”:“CMrE4dznKxICAQEY5aAxxxSwgwIozuABCccAQvuSE7RVr9Mj7OrCrESJmbNKd7OkL_Sm”,“user”:“xxxx.xxx@xxx.technology”,“hub_domain”:“www.xxx.technology”,“scopes”:[“contacts”,“oauth”],“hub_id”:430XXX,“app_id”:28XXX,“expires_in”:21561,“user_id”:4249XXX,“token_type”:“access”}


#7

Hi @Henry_Lamborn,

So the error this post was referencing from the beginning occurs when an integration tries to access an API with a token lacking the proper scope(s). While it appears from the KingswaySoft response that they’re requesting the proper scopes, we can see from your investigating that the token doesn’t have the correct scopes. Based on the scopes they request, it’s missing all of the optional scopes that they request. Does the portal this integration is installed in have access to all of the relevant tools? Is it possible that this integration was authorized at a time when the portal did not have those tools or when the integration didn’t request those scopes? If the KingswaySoft integration is requesting all the correct scopes, you should be able to uninstall/reinstall the integration in order to re-authenticate and receive a new token with the proper scopes.


#8

The portal does have access to the relevant elements we are attempting to integrate and there have been no changes on its permissions i.e. we believe portal has access to all the tools required for this integration.

Also, new Auth token get generated every time when we run integration even if portal tools changed then integration should pick correct scope in next run.

Please follow the previous post as I have covered this is quite good details.


#9

Hi @Henry_Lamborn,

Can you direct message me with the user who authorized the integration and the Hub ID of the portal you’re installing the integration to? It would also help if KingswaySoft could send the URL of the request that is failing.


#10

irfan.saeed@intercity.technology
hub_id":430181

{“token”:“CPH4zonoKxICAQEY5aAaIISwgwIozuABMhkAQvuSE1_ovBlT9o9hKy7_xxx_l_xXxXX5”,“user”:“irfan.saeed@intercity.technology”,“hub_domain”:“www.intercity.technology”,“scopes”:[“contacts”,“oauth”],“hub_id”:430181,“app_id”:28750,“expires_in”:19718,“user_id”:4249604,“token_type”:“access”}


#11

Hi @Henry_Lamborn,

I’ll message you directly to continue this conversation


#12

We just came across this thread and wanted to provide an update for any future searches.

It appeared that our software only included contacts scope during authorization and we fixed this issue in our v4.1 release on Oct 6, 2017:

  • Fixed (v4.1): “Auth In App” option in HubSpot Connection Manager does not include all scopes during the authorization.

For the clients who are already on v4.1 or later, if your HubSpot portal does not have Campaigns then you may get the same error message, in which case you may want to double check if Marketing Enterprise is included in your portal.

Thank you,
KingswaySoft