APIs & Integrations

coffeeocean
Participant

"redirect_uri" query string parameter doesn't work

Repro steps:

* Logout of hubspot from the browser

* From main hubspot integration web app (Chrome on Mac), pop up a browser window (not iframe) to navigate to https://app.hubspot.com/oauth/authorize?client_id=<GUID>&redirect_uri=https://localhost:3000/signedi...

* Login successfully on the pop up window

 

Expected: the pop up window redirects to https://localhost:3000/signedin.html&scope=contacts

 

Actual: the pop up first redirects to https://app.hubspot.com/home-beta and then redirects to https://app.hubspot.com/reports-dashboard/<portal ID>/marketing

 

If I copy and paste https://app.hubspot.com/oauth/authorize?client_id=<GUID>&redirect_uri=https://localhost:3000/signedi... (the same URL as above) in the main browser window, everything works fine and it can successfully redirect to https://localhost:3000/signedin.html&scope=contacts.

 

What is this mysterious https://app.hubspot.com/home-beta that messes up the redirect logic and causes the "redirect_uri" query string param to not work?  I can't find any info on this form or internet search.

 

0 Upvotes
6 Replies 6
WendyGoh
HubSpot Employee
HubSpot Employee

"redirect_uri" query string parameter doesn't work

Hey @coffeeocean,

 

I hope all is well with you 🙂 

 

Just to clarify, when you paste the authorization url in the main browser window, everything works fine and you're able to grab the code after authorizing the app. However when you paste it in a pop up browser window, it's being first redirects to app.hubspot.com/home-beta.

 

  • In this case, could you share with me more as to what you mean by pop up browser window? Do you mean when you open a new tab? Or an incognito browser?

The app.hubspot.com/home-beta is where you select the portal to authenticate if you've more than one portal. However, I wouldn't expect it to remove the redirect_uri in the query param. On my end, these are the steps that I took to try and reproduce:

  • Use an incognito browser
  • Not too sure what you mean by pop up a browser window and hence I paste the authorization url e.g. 
https://app.hubspot.com/oauth/authorize?client_id={{client_id}}&scope={{scopes}}&redirect_uri=https://www.example.com/
  • Login successfully
  • Select the account that I'd like to authorize the app
  • Got redirect to https://www.example.com with the code

Are we taking different steps here? If so, can send over your dev portal and app ID and I can help further troubleshoot here. 

coffeeocean
Participant

"redirect_uri" query string parameter doesn't work

Hi @WendyGoh , thank you for following up!  I was able to further narrow down the repro.  The following URL works as expected.  

https://app.hubspot.com/oauth/authorize?client_id={{client_id}}&scope={{scopes}}&redirect_uri=https://www.example.com/

If you append with any param with a value that include "|" character (see example below), it will ignore "redirect_uri" parameter.

https://app.hubspot.com/oauth/authorize?client_id={{client_id}}&scope={{scopes}}&redirect_uri=https://www.example.com/&aaa=|

The way our integration opens a dialog browser window is by calling another 3rd party library API.  That API adds another query string parameter &_host_Info=excel|web|16.00|en-us|2fa6f564-142c-48c3-991c-e27a94301b4a|isDialog| which includes a few "|" characters in the value (see below).

We can't change how that 3rd party appends this extra parameter.  Can hubspot ignore these extra parameters that is not listed in the hubspot doc?  Thanks!

0 Upvotes
WendyGoh
HubSpot Employee
HubSpot Employee

"redirect_uri" query string parameter doesn't work

Hi @coffeeocean,

 

Thank you for the clarification. After testing this out, I can confirm that currently our redirect_uri only support generic URI and we cannot ignore extra parameters.

 

That said, as you should only have to get the authorization code once as subsequently you can use the refresh_token to get new access_token, using a generic URI might be the best way to approach this issue. If you do not want to use url such as www.example.com, you could also try creating a simple web server on a hosting service; services like Heroku have free tiers that might work for your purposes.

 

Hope this helps!

0 Upvotes
coffeeocean
Participant

"redirect_uri" query string parameter doesn't work

Hi @WendyGoh , please allow me to clarify.  I'm not trying to use a "redirect_uri" value that has query string parameters.  Now I moved "redirect_uri" param to the left with just "https://www.example.com".  Any addtional param to the auth URL that contains "|" character will cause hubspot to ignore "redirect_uri" param.  Example is "aaa=|" below.

 

https://app.hubspot.com/oauth/authorize?client_id={{client_id}}&redirect_uri=https://www.example.com/&scope={{scopes}}&aaa=|
0 Upvotes
WendyGoh
HubSpot Employee
HubSpot Employee

"redirect_uri" query string parameter doesn't work

Hi @coffeeocean,

 

Thank you for the clarificaton. I was able to further test this out by adding the "|" character in my authorization url like this:

 

https://app.hubspot.com/oauth/authorize?client_id=redacted&scope=contacts%20timeline%20oauth%20integration-sync%20e-commerce&redirect_uri=https://www.example.com/&aaa=|

And I was redirected to 

 

https://www.example.com/?code=xxx

Next, I used the code generated to retrieve my access and refresh token and it was generated out just fine. 

 

Are you seeing that if you add the additional param to the auth url, the page will not be redirected to the indicated redirect_uri? I would expect it to ignore the additional param and still redirect the browser to the indicated redirect_uri. In this case, do you mind sharing with me the dev portal, app ID, redirect_uri and the additional param used? 

 

Feel free to send these via a DM if it's more comfortable for you.

0 Upvotes
coffeeocean
Participant

"redirect_uri" query string parameter doesn't work

Thanks for following up, @WendyGoh!

 

The way our integration opens a pop up (or dialog) is by calling an API Office.context.ui.displayDialogAsync documented at https://docs.microsoft.com/en-us/office/dev/add-ins/develop/dialog-api-in-office-add-ins#send-inform....  I called the API like below:

 

Office.context.ui.displayDialogAsync("https://app.hubspot.com/oauth/authorize?client_id=<GUID>&redirect_uri=https%3A%2F%2Flocalhost%3A3000%2Fsignedin.html&scope=contacts");

Under the hood, the API eventually called system API below to create the dialog/pop-up:

window.open(
    "https://app.hubspot.com/oauth/authorize?client_id=<GUID>&redirect_uri=https%3A%2F%2Flocalhost%3A3000%2Fsignedin.html&scope=contacts&_host_Info=excel|web|16.00|en-us|2fa6f564-142c-48c3-991c-e27a94301b4a|isDialog|",
    "{"baseFrameName":"_xdm_0_https://d.docs.live.net/24eb0f81835c8883/DataTapir/Add-in%20Test.xlsx_{8577EA47-C83B-4F98-8474-057199CC52B1}7b4efa77_390bcb53_1563772991535","hostInfo":"excel|web|16.00|en-us|2fa6f564-142c-48c3-991c-e27a94301b4a|isDialog|","xdmInfo":"250fe9ff_2dd9cb4a_1563772991535|{8577EA47-C83B-4F98-8474-057199CC52B1}|https://excel.officeapps.live.com/x/_layouts/xlviewerinternal.aspx?edit=1&ui=en-US&rs=en-US&hid=r45hF9iQMkisWikUY8oNOw.0&WOPIsrc=https%3A%2F%2Fwopi.onedrive.com%2Fwopi%2Ffiles%2F24EB0F81835C8883%21403958&wde=xlsx&sc=host%3D%26qt%3DFolders&mscc=1&wdp=0","serializerVersion":1,"appContext":{"_id":"e5ac2d3f-6162-419d-8b0d-3efcfb07adddm_excelWebRenderer_ewaCtl_e5ac2d3f-6162-419d-8b0d-3efcfb07adddContoso.ButtonIdDeals","_appName":16,"_appVersion":"16","_appUILocale":"en-US","_dataLocale":"en-US","_docUrl":"https://d.docs.live.net/24eb0f81835c8883/DataTapir/Add-in%20Test.xlsx","_clientMode":1,"_settings":[["datatapir_deployment_env","\"dev\""],["datatapir_subscription_type","\"premium\""],["hubspot_access_token","\"CK2UkanALRICAQEYxNQdIKrHMyjZrwIyGQAKGvDqjLDepFUZnngkqg1JPncWAVa8afA6DwAKAkEAAAyAAgAIAAAAAUIZAAoa8Or7-SBek-SlBTIdyqwVS2wYQd1q2A\""],["hubspot_access_token_expires_in","21600"],["hubspot_manifest_version","\"1.0.6.0\""],["hubspot_portal_domain","\"developer-portal-61a82e1c-95ae-4437-a135-cd3188a27ba3.com\""],["hubspot_portal_id","485956"],["hubspot_refresh_token","\"96ca4a8a-c887-4a43-9f6f-2265c3ece29e\""],["hubspot_user_email","\"stanleyy@gizetech.com\""],["hubspot_user_id","844714"]],"_reason":"inserted","_osfControlType":1,"_eToken":"","_correlationId":"2fa6f564-142c-48c3-991c-e27a94301b4a","_appInstanceId":"{8577EA47-C83B-4F98-8474-057199CC52B1}","_touchEnabled":false,"_commerceAllowed":true,"_appMinorVersion":0,"_requirementMatrix":"{\"addincommands\":\"1.1\",\"bindingevents\":\"1.1\",\"biplatvisualrichapi\":\"1.5\",\"customfunctions\":\"1.7\",\"customfunctionsruntime\":\"1.1\",\"compressedfile\":\"1.1\",\"dialogapi\":\"1.1\",\"documentevents\":\"1.1\",\"excelapi\":\"1.9\",\"firstpartyauthentication\":\"1.1\",\"identityapi\":\"1.1\",\"matrixbindings\":\"1.1\",\"matrixcoercion\":\"1.1\",\"numberformatting\":\"1.1\",\"richapiruntime\":\"1.2\",\"richapiruntimeflag\":\"1.2\",\"selection\":\"1.1\",\"settings\":\"1.1\",\"tablebindings\":\"1.1\",\"tablecoercion\":\"1.1\",\"textbindings\":\"1.1\",\"textcoercion\":\"1.1\",\"file\":\"1.1\",\"webauth\":\"1.1\"}","_hostFullVersion":"0.0.0.0","_isDialog":false,"_clientWindowHeight":1305,"_clientWindowWidth":1129,"_addinName":"(Dev) Data Tapir - Analyze and Update Hubspot Data","_appDomains":["https://localhost","https://app.hubspot.com","https://api.hubapi.com","https://www.hubspot.com","https://app.getsidekick.com","https://telemetryservice.firstpartyapps.oaspapps.com","https://officeaddins.datatapir.com","https://www.youtube.com","https://localhost:3000"],"_featureGates":{},"_wacHostEnvironment":"1","_isFromWacAutomation":false,"_addInSourceLocationSubdomainAllowedIsEnabled":true,"_addInSourceUrl":"https://localhost:3000/index.html?view=deals&env=dev&manifest=1.0.6.0&et=","eToken":""}}",
    "width=1792, height=1152, left=-331.5, top=76.5,channelmode=no,directories=no,fullscreen=no,location=no,menubar=no,resizable=yes,scrollbars=yes,status=no,titlebar=yes,toolbar=no");

It did add "&_host_Info=excel|web|16.00|en-us|2fa6f564-142c-48c3-991c-e27a94301b4a|isDialog|" at the end of the original target URL.  I copied and pasted this augmented URL "https://app.hubspot.com/oauth/authorize?client_id=<GUID>&redirect_uri=https%3A%2F%2Flocalhost%3A3000..." on any normal browser tab (with hubspot signed out) or any incognito browser session, I can reproduce the issue consistently.  It is pretty sure "&_host_Info=excel|web|16.00|en-us|2fa6f564-142c-48c3-991c-e27a94301b4a|isDialog|" added at the end of the URL caused hubspot to ignore "redirect_uri".  But "_host_Info" parameter is not supposed to affect hubspot redirect behavior because it is irrelevant to hubspot, right?

 

Thanks!

0 Upvotes