Significant OAuth 2.0 security hole that we cannot allow HubSpot part of app solutions because of how it handles [** ACCESS TOKEN **] when requesting user profile.
Going through a security review, providing [** ACCESS TOKEN **] as part of the URL path to request the token's user profile is unacceptable. In other words, a full stop security blocker to allow HubSpot integation to be part of our services.
curl --request GET
--url 'https://api.hubapi.com/oauth/v1/access-tokens/[** ACCESS TOKEN **]'
For all OAuth 2 implementations by other providers' authentication services for retrieving user profile, the [** ACCESS TOKEN **] is within authentication bearer header.
For example... Could HubSpot provide access token information as follows using instead authentication bearer header?:
Thank you for your feedback. You are correct about both how the endpoint works and that it is not currently possible to add this as a request body.
The honest answer — there is not a lever to pull to make a change of this type immediately or on-demand.
Next steps –
For me:
I shared your feedback with the team that owns this endpoint and the Marketplace team. I cannot promise a direct response, and I will share any info I get here.
For you:
if you have an associated paid portal, please let your CSM know this a significant and legitimate roadblock. Or if you have another approved app or integration, you can do the same via your App Partner contact