Optional Scopes and "You do not have the correct role to grant these permissions."

Highlighted
Not applicable

Hello, I’m attempting to verify that my company’s HubSpot OAuth2 app can be integrated with our clients’ HubSpot accounts. I understand that CRM-only HubSpot accounts do not have access to scopes that are only available to Marketing HubSpot accounts.

I have no problem authorizing with the Test Portal that’s set up alongside our Dev Account. However, I’m not able to authorize our app when using a dummy HubSpot account (Hub Portal ID: 3306102) with these products: HubSpot Marketing Free, HubSpot CRM, and HubSpot Sales Free. Specifically, I get this error:

Uh oh!
You do not have the correct role to grant these permissions. Please contact your administrator.

The HubSpot OAuth API documentation denotes the optional_scope parameter which has this description:

Optional scopes will be automatically dropped from the authorization request if the user selects a HubSpot account that does not have access to that tool (such as requesting the social scope on a CRM only portal).

Our app does request permission for Marketing-only scopes, namely “content”, “reports”, “automation”, and “forms”. I added those scopes to the optional_scope param as per the documentation.

The resultant OAuth URL looks like this:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<redacted>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts%20content%20reports%20automation%20forms&state=<redacted>

Attempting to initiate OAuth access using this URL with the optional_scope param also results in the permissions error I noted above.

I attempted to make all the scopes optional:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<redacted>&optional_scope=contacts%20content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts%20content%20reports%20automation%20forms&state=<redacted>

But again, this results in the same error.

I’ve found similar issues, one of which has a note saying it was resolved:

I'm attempting to authenticate Hubspot with OAuth2 using the automation, contacts, and content scopes and getting this message on the redirect URL : "Uh oh! You do not have the correct role to grant these permissions. Please contact your administrator.". I believe I'm logged into our administrator account when running this request. Any help in resolving this would be appreciated.

Am I misunderstanding the purpose of optional scopes? Any insight into this error would be appreciated. Thanks in advance!

27 Replies 27
Highlighted
HubSpot Employee

@mattstitch

Are you an admin in the portal you are trying to install the app into?
Also both the URLs have all of the scopes required in addition to be optional.

&scope=contacts%20content%20reports%20automation%20forms

They should be in one group. optional or not.

Reply
0 Upvotes
Highlighted
Not applicable

Thanks for the response @pmanca.

I believe I am an admin in the portal I’m trying to install the app into. In my user preferences page it says “Marketing Administrator”, “Sales Administrator”, and “Account Administrator”.

They should be in one group. optional or not.

Do you mean each scope should be in one group or the other? The “contacts” scope appears to be permissible for Marketing and/or CRM accounts, and the other scopes are Marketing-only.

My new URL looks like this:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<redacted>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts&state=<redacted>

Doing this results in a different error:

Uh oh!
Insufficient scopes were provided. Please contact the integrator.

The application I’m trying to integrate with has the following scopes:

Read from and write to my Contacts
Read from and write to my Content
Read from and write to my Reports
Read from and write to my Workflows
Read from and write to my Forms

Reply
0 Upvotes
Highlighted
Not applicable

Hey @pmanca – please see my last reply. I changed the request to initiate OAuth access based upon your suggestion, but that just gives a different error. Is it possible to connect a non-Marketing Hubspot portal to an application with some Marketing-only scopes, as long as those Marketing-only scopes are optional? If so, how should the OAuth URL be formatted?

Thanks again for your help!

Reply
0 Upvotes
Highlighted
HubSpot Employee

@mattstitch What is your app that you are installing trying to do? Are you trying to perform marketing related activities? Does the install work on a portal that has the marketing tools.

Yes it is possible but you need to make sure the actions the app is taking will not conflict with the scopes.

Reply
0 Upvotes
Highlighted
Not applicable

@pmanca It’s an app with multiple tenants, some of whom may be non-Marketing. The app fetches data from the API endpoints for Contacts, Forms, etc. I believe this part of the HubSpot OAuth documentation is applicable:

If your app can work with multiple types of HubSpot accounts, you can use the optional_scope parameter to include any scopes you work with that only apply to marketing accounts, so that customers using CRM accounts can still authorize your app. Your app will be responsible for checking for and handling any scopes that you didn’t get authorized for.

Is optional_scope appropriate for our use case?

Reply
0 Upvotes
Highlighted
HubSpot Employee

What is this at the end of your call?

&state=<redacted>
Reply
0 Upvotes
Highlighted
Not applicable

@pmanca It’s an OAuth 2.0 base64 state string, which contains some of our app state and a signed nonce.

Reply
0 Upvotes
Highlighted
HubSpot Employee

@mattstitch Just out of curiosity does it work if you remove it from the call? The state is not a supported parameter on our calls.

Reply
0 Upvotes
Highlighted
Not applicable

@pmanca I believe removing the state query param has no effect.

https://app.hubspot.com/oauth/<portalid>/authorize?client_id=<reacted>optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts

^ that URL still results in

Uh oh!
Insufficient scopes were provided. Please contact the integrator.

Reply
0 Upvotes
Highlighted
HubSpot Employee

@mattstitch Can you print out the full error from the console?

Reply
0 Upvotes
Highlighted
Not applicable

@pmanca No problem. When attempting to authenticate our HubSpot app through a test portal, our application directs a user to:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<client-id>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts

On that page, I believe this failing XHR is the important one – a POST request to

https://api.hubapi.com/oauth/v1/application-authorizations?portalId=<portal-id>&clienttimeout=7000

which returns a 400 with this response body:

{
  "status": "MISSING_SCOPE_GROUP",
  "message": "client requires more scopes",
  "correlationId": "dbcbe0ab-1bf3-4ed8-be38-1e9dce75f302",
  "requestId": "65a70a56b5e5b21931fd40f340e0aa76"
}

Here is the POST body:

{
  "clientId": "<client-id>",
  "hubId": <portal-id>,
  "optionalScopes": [
    "content",
    "reports",
    "automation",
    "forms"
  ],
  "redirectUri": "<callback-url>",
  "responseType": "code",
  "scopes": [
    "contacts"
  ]
}

It looks like the query parameters from the initial request are being properly ferried to the /application-authorizations endpoint. It’s not clear what additional scopes are required – the only one I required (contacts) was the only non-Marketing one.

Reply
0 Upvotes
Highlighted
HubSpot Employee

@mattstitch If you check any of the below scopes then they need to be required scopes. Your requests are correct but you might need to change your app settings. Any optional_scopes must be handled in your code and not through the app.

Your code is asking it as an optional scope but your app settings are overriding it as a required scope.

Reply
0 Upvotes
Highlighted
Not applicable

@pmanca Ah, I think I finally understand. Our HubSpot app settings need to define the minimum set of scopes that our app requires. The optional_scope param can be used to request additional scopes. I don’t think I realized that the app settings needed to match the scope param in the OAuth authorization URL.

Concretely, our app settings should only have Contacts checked, and then our users will authorize our app at this URL:

https://app.hubspot.com/oauth/<portal-id>/authorize?client_id=<client-id>&optional_scope=content%20reports%20automation%20forms&redirect_uri=<callback-url>&scope=contacts

which will give us permission to access the optional scopes as well: Content, Reports, Automation, and Forms. If the user’s HubSpot portal does not support any of those optional scopes, our app will of course not be able to access those resources, but for Marketing HubSpot users, our app will have access.

Am I understanding correctly?

Reply
0 Upvotes
Highlighted
HubSpot Employee

@mattstitch yes that sounds correct to me. Let me know if that works please

Reply
0 Upvotes
Highlighted
Not applicable

@pmanca That appears to have worked – I was able to successfully authorize the app with a non-Marketing HubSpot portal. Thanks for your patience in clarifying that issue for me and my team.

Highlighted
Not applicable

I am having a similar problem with a customer’s account (I don’t have direct access). Our app requests for “content”, “reports”, “social”, “automation”, “forms” as required scopes and “contacts”, “timeline”, “files” as optional scopes. All the scopes are requested via oauth call and not through settings (all the scopes are unchecked in settings)

This worked with the demo account and our own accounts but when a marketing only account try to go through the oauth flow the customer is getting “you do not have the correct role to grant these permissions”.

Where do we go from here to fix the problem?

Reply
0 Upvotes
Highlighted
HubSpot Employee

@Ka-Hing_Cheung That error might be occurring if the person trying to install the app does not have administrator permissions on the portal to do so. That sounds more like a permissions issue then a scope issue.

Reply
0 Upvotes
Highlighted
Not applicable

Where is that permission setup? The user is both “marketing administrator” and “account administrator”. In the other instance the user is just “marketer”

Reply
0 Upvotes
Highlighted
HubSpot Employee

@Ka-Hing_Cheung It is the portal settings under the roles and users.

Reply
0 Upvotes
Highlighted
Not applicable

Could you be more specific? Like I said, one of the accounts is “marketing administrator” and “account administrator” already.

Reply
0 Upvotes
Highlighted
HubSpot Employee

Is the portal you are trying to install it into a Pro or Enterprise portal? As they would need workflows for the automation scope.

Reply
0 Upvotes
Highlighted
Not applicable

This is from our customers so I don’t know the answer to that, but I can ask. Could you tell me where they would see if they have “workflows for the automation scope”?

Reply
0 Upvotes
Highlighted
HubSpot Employee

@Ka-Hing_Cheung You need to figure out if they have the Pro or Enterprise version of HubSpot.

Reply
0 Upvotes
Highlighted
Occasional Contributor

Hi,

I’m trying to get Oauth to work with my Enterprise level portal. This is the URL I’m using but it always returns the error ‘Insufficient scopes were provided’.
In the app, every scope is ticked bar ‘social’.

Can anyone see what I’m doing wrong?

https://app.hubspot.com/oauth/authorize?client_id=CLIENTID&scope=contacts%20content%20reports%20automation%20timeline%20forms%20files%20hubdb%20transactional-email&redirect_uri=https://www.hubspot.com
Reply
0 Upvotes
Highlighted
New Contributor | Diamond Partner

Hi @pmanca ,

I am the Super Admin for my test portal which is a Sales Free and Marketing Enterprise.

I am trying to install a custom integration and provided all the scopes which were selected in the app's details page.

https://app.hubspot.com/oauth/authorize?client_id=xxxxx-xxxx-xxx-xxxx-xxxx&scope=content%20forms%20a...

I am ended up with Uh oh! You do not have the correct role to grant these permissions. Please contact your administrator.

Reply
0 Upvotes
Highlighted
HubSpot Employee

@Vamsivinay119 Is the portal you are installing this into have all of the products that you are requesting access to? You could be an admin but if you're portal doesn't have workflows then it will through an error when you try and install an app that is requesting access to it.

Reply
0 Upvotes
Highlighted
New Contributor | Diamond Partner

Hi @pmanca This issue is solved. I figured out the scopes needed and it worked. Thanks.