How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
@pmanca – we are also having this issue on desktop applications.
yes, you can get an SSL cert easily, but it takes a lot of jumping through hoops on the user side of things to install the certificate on a local computer.
and i don’t think you should consider it “rolling back” security b/c the obvious alternative is just to send people to grab their API key, but i’m sure your engineers would say that’s less ideal than using OAuth.
a good workaround would be to allow http instead of https only for localhost.
How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
So Guys i have resolved the issue my self by doing some changes, if any one facing that issue can ask me. I am getting access token and refresh token on my Localhost. I am attaching screen shot also.
How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
You’re calling the hubspot endpoint unsecurely,
change http://api.hubapi.com/oauth/v1/access-tokens/CJSP5qf1KhICAQEYs-gDIIGOBii1hQIyGQAf3xBKmlwHjX7OIpuIFEavB2-qYAGQsF4
to https://api.hubapi.com/oauth/v1/access-tokens/CJSP5qf1KhICAQEYs-gDIIGOBii1hQIyGQAf3xBKmlwHjX7OIpuIFEavB2-qYAGQsF4
Not sure if that fixes your error but couldn’t hurt
Also, did you change your access token in order to paste it here in the forum? That token doesn’t look right… I don’t think I’ve seen any with underscores instead of hyphens
How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
Hi Paul,
May I ask why do you require https for the callback? This is unusual compared to other APIs. In fact I have not seen any other API with such requirement. This is not easy to handle because it requires installation of certificates for the local callback. Can you please ask your colleagues to reconsider this requirement? Regular http should suffice and it is not large security breach because the provided authorization code has short life.
Also I have tried using the standard ‘urn:ietf:wg:oauth:2.0:oob’ as redirect_uri but apparently your authentication process doesn’t support it.
How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
@COZYROC Having an encrypted call back is simply a more secure way of setting of the OAuth flow. We won’t be rolling back to a less secure way in the future. You can always spin up a self-signed certificate if you want to do local testing.
How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
Paul,
We are talking about Desktop application authentication to Hubspot. By requiring you create self-signed certificate you are asking the customers to jump thru hoops. This is not user-friendly and makes access to Hubspot data much harder. I would recommend you take a look how other companies like for example Google have implemented their OAuth authentication to see requiring HTTPS callback is very unusual requirement. I hope you reconsider.
How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
@COZYROC I’m not sure where you got Paul from but that isn’t my name.
My apologies if you consider our OAuth flow to be not user friendly. We try and take security very serious here and will not be rolling back to a less secure way of handling our OAuth flow.
How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
Peter, Sorry!
Do you think Google doesn’t take security seriously? And it is not only Google. Microsoft, Twitter doesn’t require secure callbacks either. I have already stated the code returned in the callback is temporary and short-lived.
Please ask your team to reconsider for a minute. They might be wrong on this requirement.
How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
I am using “https” on localhost with self signed certificate. But when i run my same code on “Postman” with refresh and access token its returning me a right JSON response as shown in the Hubspot documentation.
How to Get Information for OAuth 2.0 Access Token & Refresh Token on localhost
@pmanca This is the error I am receiving on my localhost project. I am sending url as ‘https’ but its returning me ‘http’ this is may be the cause of error kindly see this.