APIs & Integrations

MM2
Member

oAuth without client secret for single page app (SPA) and command line tools

SOLVE

Hi Hubspotters,

 

oauth.com recommends not to use a client secret when writing a single page application or clients that the user can run locally such as a command line interface. This is documented here: https://www.oauth.com/oauth2-servers/single-page-apps/ . But I can't find an option to deactive the client secret in Hubspot.

 

How do you authenticate such applications via oauth? Using the API key seems not to be a solution since it doesn't allow to track who accesses the data and also not to limit the application's access scope.

0 Upvotes
1 Accepted solution
kierana
Solution
Contributor

oAuth without client secret for single page app (SPA) and command line tools

SOLVE

Hey - so I'm pretty sure this isn't going to be possible without an external service/server. Hubspot uses the Authorization code flow - this requires a client secret to exchange the authorisation code for an access token and you shouldn't embed this in the client.

 

A potential solution for this is to use Hubspot Enteprise - this supports authentication and provides you with the ability to create serverless functions. 

 

Let me know how you get on 🙂 

 

Good luck,

Kieran

View solution in original post

4 Replies 4
MM2
Member

oAuth without client secret for single page app (SPA) and command line tools

SOLVE

Thanks @kierana . A pity that it doesn't work but I guess Hubspot has their reasons.

0 Upvotes
MM2
Member

oAuth without client secret for single page app (SPA) and command line tools

SOLVE

Thank you for the redirect to @kierana . I can't say right now what I am building but it is a terminal application and potentially a single page app. Both have no backend that could store a secret unknown to the user.

0 Upvotes
kierana
Solution
Contributor

oAuth without client secret for single page app (SPA) and command line tools

SOLVE

Hey - so I'm pretty sure this isn't going to be possible without an external service/server. Hubspot uses the Authorization code flow - this requires a client secret to exchange the authorisation code for an access token and you shouldn't embed this in the client.

 

A potential solution for this is to use Hubspot Enteprise - this supports authentication and provides you with the ability to create serverless functions. 

 

Let me know how you get on 🙂 

 

Good luck,

Kieran

dennisedson
HubSpot Product Team
HubSpot Product Team

oAuth without client secret for single page app (SPA) and command line tools

SOLVE

Hey @MM2 

Curious to know what you are building 😀

@kierana might be a great help here!

0 Upvotes