Recent OAuth Issue?


#1

Have there been any known oauth issues that might have suddenly caused a problem reauthenticating with a refresh token?

We had a couple of user this morning where we got the following error when we try to authenticate on their behalf that errorred out with the following when we try getting a new token with their refresh token:

TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>
 
You don't have permission to access "http&#58;&#47;&#47;api&#46;hubapi&#46;com&#47;oauth&#47;v1&#47;token" on this server.<P>
Reference&#32;&#35;18&#46;c7e13217&#46;1510141126&#46;981b1099
</BODY>
</HTML>

#2

@homerlex I am not aware of any issues at this time. We also post any issues we have here:

https://status.hubspot.com/

I’ll ask around just in case and come back to you if I discover anything.


#3

FYI - it happened again after a user manually reauthed. They had no trouble reauthing but we got the error again when trying to get the token with the latest refresh token.


#4

Now its happening to all our HubSpot Integrations. Any advice on how to go about debugging this? Its been working fine for the last few weeks and we haven’t made any code changes


#5

@homerlex Can you show me the calls you are making to HubSpot and the response from HubSpot?


#6

We’re using omniauth to get the access token from the refresh token. The code looks like:

oauth = OmniAuth::Strategies::HubSpot.new(
        nil,
        ENV['HUBSPOT_OAUTH_CLIENT_ID'],
        ENV['HUBSPOT_OAUTH_CLIENT_SECRET']
      )
      token = OAuth2::AccessToken.new(
        oauth.client,
        '',
        { refresh_token: @authentication.refresh_token }
      )
      new_token = token.refresh!

The error mentioned in the original post occurs on the token.refresh! call. I have a feeling you need me to get a little more bare metal with the request/response. That will have to happen tomorrow.

Let me know if you hear of any known issues in the mean time.


#7

BTW - At the moment, it seems to be working OK.


#8

@homerlex Glad to hear it is working now. Yes I was hoping you could show me the end raw requests/response and not the C#(i believe?) that executes the calls.


#9

Its Ruby. If it starts happening again I’ll drill down further.


#10

FYI - the oauth problem started happening again this morning. I’ll try to dupe from my dev env to provide more info about the request/response.


#11

Of course I cannot duplicate in my dev environment. I have the same code that is in production. The only difference is in dev we auth against a different HubSpot application.


#12

I’ve tried to duplicate using the production app creds using POSTMan and I cannot duplicate.

The request that is generated in omniauth looks like this:
POST https://api.hubapi.com/oauth/v1/token
Body contains:
client_id= xxxx,
client_secret=xxxx,
grant_type=refresh_token,
refresh_token=xxxx

Header:
Content-Type: application/x-www-form-urlencoded

The Rails application making these requests run on Heroku. Is is possible that you could be periodically blocking by IP?

Again the response we are getting back contains HTML:

Access Denied

Access Denied

You don’t have permission to access “http://api.hubapi.com/oauth/v1/token” on this server.


Reference #18.e46533b8.1510666369.139336c7

Can you tell from the reference number in the message why these are failing?
Here are some of the reference numbers:
Reference #18.e46533b8.1510666369.139336c7
Reference #18.e46533b8.1510666377.1393872d
Reference #18.d0070f17.1510641234.4ac827c
Reference #18.3c6533b8.1510666379.e36070
Reference #18.9d2d1bb8.1510637646.7506639
Reference #18.3c6533b8.1510666275.e04944
Reference #18.3c6533b8.1510666275.e04b3d
Reference #18.e46533b8.1510666373.1393633d


#13

Evidence that you might be blocking us by IP: I recycled our Heroku worker dynos (meaning we got new IPs) and getting access tokens is working again. Could you please confirm that this is what is happening and how we can resolve this?


#14

Hi,

We started getting same errors few hours ago.
When we try to add new contact using Forms API we get this response

body: "<HTML><HEAD>\n<TITLE>Access Denied</TITLE>\n</HEAD><BODY>\n<H1>Access Denied</H1>\n \nYou don't have permission to access \"http&#58;&#47;&#47;forms&#46;hubspot&#46;com&#47;uploads&#47;form&#47;v2&#47;1753146&#47;7fbff040&#45;cdba&#45;4a97&#45;93cb&#45;133dc62fabb3\" on this server.<P>\nReference&#32;&#35;18&#46;bd070f17&#46;1510779492&#46;726736d7\n</BODY>\n</HTML>\n" 
header: {"Mime-Version" "1.0", 
	"Server" "AkamaiGHost", 
	"Content-Type" "text/html", 
	"Content-Length" "359", 
	"Connection" "close", 
	"Pragma" "no-cache", 
	"Expires" "Wed, 15 Nov 2017 20:58:12 GMT", 
	"Set-Cookie" "ak_bmsc=0264AFBC45AE59B177B9E44EBAEF7B90170F07BD7737000064AA0C5A033C482D~plhDaux6bNE9C3A8Av90JSVhp5qcz4m1B3/27pc4DW8Dd1AeOKbn1jkIOPUIz9alQBEAajcqrHwHIw6lRE58nE/ZE+VNPVspt9YO+Gu0ByxzAP0enzZzSv0nn7PzFo+mIFjrCYyTkMSevrzu0XOFZXIYM1MaqIge6fNYhx630fh+7qJi44JsyXJdiXRW5Wc2lZHNm/k+LwhZkdOiqvix150DJORhzVgoNMCUqTd7wIwtA=; expires=Wed, 15 Nov 2017 22:58:12 GMT; max-age=7200; path=/; domain=.hubspot.com; HttpOnly", 
	"Date" "Wed, 15 Nov 2017 20:58:12 GMT", 
	"Cache-Control" "max-age=0, no-cache, no-store"} 
orig-content-encoding: nil 
request-time: 117 
status:  403 
trace-redirects: ["https://forms.hubspot.com/uploads/form/v2/1753146/7fbff040-cdba-4a97-93cb-133dc62fabb3"] 

Same response when we tried to get-owners (this request had valid api-key):

body: "<HTML><HEAD>\n<TITLE>Access Denied</TITLE>\n</HEAD><BODY>\n<H1>Access Denied</H1>\n \nYou don't have permission to access \"http&#58;&#47;&#47;api&#46;hubapi&#46;com&#47;owners&#47;v2&#47;owners&#47;&#63;\" on this server.<P>\nReference&#32;&#35;18&#46;efc88d3f&#46;1510778382&#46;38880d8\n</BODY>\n</HTML>\n" 
headers: {"Server" "AkamaiGHost", 
	"Mime-Version" "1.0", 
	"Content-Type" "text/html", 
	"Content-Length" "297", 
	"Expires" "Wed, 15 Nov 2017 20:39:42 GMT", 
	"Date" "Wed, 15 Nov 2017 20:39:42 GMT", 
	"Connection" "close"} 
orig-content-encoding: nil 
request-time: 19 
status: 403 
trace-redirects: ["https://api.hubapi.com/owners/v2/owners/"] 

After reading this thread I have restarted our Heroku instance and everything seems to be ok.
@pmanca I can provide you with more detailed logs if you would like.
Maybe you have blacklisted some Heroku IPs which might be cycled to random people …


#15

HubSpot blocks are IP based, so if you are on a shared host it could be anyone from the same IP. HubSpot will stop blocking the IP automatically once things have cleared up. You might have run into that @homerlex, Are you sending to many requests over too quickly or something else that might not being playing as nice as our servers would like?


#16

Please define “too many requests too quickly”. We periodically have jobs that run that sync data for several users.


#17

For security reasons we don’t disclose that level of information. If you think you are hitting our servers to quickly potentially you might want to try backing off a bit on the rate and see if that helps. I’d be happy to hear more about your use case and learn what might be causing this.


#18

@pmanca - We have several users that have HubSpot App integrations. Every 3 to 10 mins (depending on how active the user currently is) we sync data from HubSpot for the integrated users.

I wouldn’t consider it a high rate of hitting your API. BTW, we haven’t had an issue for about a week now.


#19

Hi,

I’m facing a similar problem.
Although I want to make use of the built in integration function…

I want to integrate constant contact with Hubspot.
While doing so: I’m facing an invalid redirect issue (oauth2/error).

Can someone help me out with this issue?

thanks for your help,
Bavo De Bondt