User facing permission issue while authorising app

oauth

#1

I've made an app for integration with strings.ai

One of our user has complained that integration is not working, this is what he sees during authorization flow:

I don't understand what this error means, does the user not have permission to use the app, or does he not have permission to install apps?

How can we fix this?


#2

Hi @Chakradar_Raju, that message indicates that the user does not have permission to install the app to your account. Normally we'll suggest that Super Admins install integrations into accounts in order to avoid seeing this error.


#4

Thanks Connor for the clarification,
just to make it clear, when multiple users from same company want to use the app, should we follow:

  1. Let only super admin do the integration, and use his access token to service all users requests? or
  2. Let regular users wait for super admin do the integration, and then authorize the app and use their own access token?

What is the expected use of API?


#5

Hi @Chakradar_Raju, HubSpot's OAuth 2.0 flow is not meant to be used as a log in/ sign up flow for individual users. An application should be installed into an account just once and should only request the scopes that are necessary for the application to run so that the built in user permissions within the User settings in HubSpot can take over. For example, my application can request the contacts and content scopes. As a Super Admin, I can install this integration and can access all parts of the application, but my sales rep who does not have access to content cannot use that part of the integration.

In your outline, the desired scenario would be #1. The Super admin should install the integration, and their refresh/access tokens should be the ones that service all requests. Check out my answer on this topic for a bit more on OAuth:


#6

Hey Connor,

We're not using it for login, we're just using it to keep user data between our app and hubspot in sync.
And we request contacts and timeline scopes only, which are listed as available for "any marketing or crm account" here: https://developers.hubspot.com/docs/methods/oauth2/initiate-oauth-integration#scopes

To give you an concrete case that we use the access_tokens for, when we process a call on behalf of user from our dialer integration, we log it to hubspot as a call against a contact. Ideally we want to be able to make that activity look like it is from that specific user, is it possible? or should we do this only as a super admin?


#7

Hi @Chakradar_Raju, I know that you're able to specify the userId when creating engagements/activities, and it will default to the person who connected the application if no userId is included. This is really the only solution I have to offer, as user specific integrations are not fully supported by our version of the OAuth2.0 spec.


#8

Can you confirm if my understanding it correct,

The expected use of API is to take authorization of only super admin and his access token can be used to perform activities as any of the users in that company, is that right?


#9

@Chakradar_Raju you are correct. Though the way I think about it is that the Super Admin approves the scopes that an integration will have on behalf of the entire account. That integration will then work regardless of user permissions. If an integration uses the content and contacts scopes, a person with access only to the CRM will only be able to use the integration as it pertains to the CRM, however a user who has both access to the CMS and the CRM will be able to use the integration fully.