APIs & Integrations

jeff00seattle
Contributor

Security Hole: Get Information for OAuth 2.0 Access Token

Reference: Get Information for OAuth 2.0 Access Token

 

Full Stop Blocker

Significant OAuth 2.0 security hole that we cannot allow HubSpot part of app solutions because of how it handles [** ACCESS TOKEN **] when requesting user profile.

 

Going through a security review,  providing [** ACCESS TOKEN **] as part of the URL path to request the token's user profile is unacceptable. In other words, a full stop security blocker to allow HubSpot integation to be part of our services.

 

curl --request GET
  --url 'https://api.hubapi.com/oauth/v1/access-tokens/[** ACCESS TOKEN **]'

 

For all OAuth 2 implementations by other providers' authentication services for retrieving user profile, the [** ACCESS TOKEN **] is within authentication bearer header.

 

For example... Could HubSpot provide access token information as follows using instead authentication bearer header?:

 

curl --request GET
  --url 'https://api.hubapi.com/oauth/v1/user-info'
  --header 'authorization: Bearer [** ACCESS TOKEN **]'

 

Until this OAuth 2.0 security issue is address, then my company will not ship our HubSpot integration effort.

0 Upvotes
2 Replies 2
Jaycee_Lewis
Community Manager
Community Manager

Security Hole: Get Information for OAuth 2.0 Access Token

Hi, @jeff00seattle

Thank you for your feedback. You are correct about both how the endpoint works and that it is not currently possible to add this as a request body.

 

The honest answer — there is not a lever to pull to make a change of this type immediately or on-demand.

 

Next steps –

For me:

  • I shared your feedback with the team that owns this endpoint and the Marketplace team. I cannot promise a direct response, and I will share any info I get here.

For you:

  • if you have an associated paid portal, please let your CSM know this a significant and legitimate roadblock. Or if you have another approved app or integration, you can do the same via your App Partner contact
  • you can also submit your feedback via this page — App Partner Program

Best,
Jaycee

linkedin

Jaycee Lewis

Developer Community Manager

Community | HubSpot

0 Upvotes
jeff00seattle
Contributor

Security Hole: Get Information for OAuth 2.0 Access Token

Thank you for your reply.

 

 

0 Upvotes