oAuth without client secret for single page app (SPA) and command line tools

MM2 · ‎Feb 17, 2021

Hi Hubspotters,

oauth.com recommends not to use a client secret when writing a single page application or clients that the user can run locally such as a command line interface. This is documented here: https://www.oauth.com/oauth2-servers/single-page-apps/ . But I can't find an option to deactive the client secret in Hubspot.

How do you authenticate such applications via oauth? Using the API key seems not to be a solution since it doesn't allow to track who accesses the data and also not to limit the application's access scope.

kierana · ‎Feb 20, 2021

Hey - so I'm pretty sure this isn't going to be possible without an external service/server. Hubspot uses the Authorization code flow - this requires a client secret to exchange the authorisation code for an access token and you shouldn't embed this in the client.

A potential solution for this is to use Hubspot Enteprise - this supports authentication and provides you with the ability to create serverless functions.

Let me know how you get on 🙂

Good luck,

Kieran

View solution in original post

dennisedson · ‎Feb 18, 2021

Hey @MM2

Curious to know what you are building 😀

@kierana might be a great help here!

Thanks,

Dennis

We are excited to announce that the Community will be launching a weekly newsletter on November 2, 2020!
Sign up today!

MM2 · ‎Feb 20, 2021

Thank you for the redirect to @kierana . I can't say right now what I am building but it is a terminal application and potentially a single page app. Both have no backend that could store a secret unknown to the user.

kierana · ‎Feb 20, 2021