Developer Announcements

Dadams
HubSpot Employee
HubSpot Employee

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

Note: The final date for apps without redirect URLs being blocked from authorizing new users has been updated from April 3 to May 15.

 

Beginning on February 1st, 2023, public apps will be required to set a redirect URL in order to create or update an app. Any app that does not have a redirect URL set will be blocked from authorizing new users beginning on May 15, 2023.

 

What's changing?

When a user connects an app to their HubSpot account, they use an authorization URL that includes a redirect_uri that is used to redirect users back to the external application after granting access to the app. The redirect_uri is validated against the redirect URL set in the auth settings for the app.

 

Currently, apps are not required to set a redirect URL in the settings. Apps that do not have redirect URL in the auth settings won't validate the redirect_uri, which can allow authorization URLs to be built that could appear to connect an app but redirect to a third-party site without the HubSpot user knowing.  Please note that the app's client secret is required to generate an access token that would be used to access HubSpot data.

 

Requiring a redirect URL to be set will ensure that HubSpot users will only be redirected to your app website when connecting your app.

 

As part of this update, apps will be able to set multiple redirect URLs, in the case where an app needs to redirect to multiple places, or to support multiple environments (such as QA/testing environments).

 

URLs using http://localhost/ URLs will still be supported for testing while you're building your app.

 

Due to this change, since a static set of specific redirect URLs will be required, apps will no longer be able to use dynamic redirect URLs for individual users or accounts. If your app uses a different redirect URL for each install, your app will need to handle the redirects separately after the user is redirected from HubSpot back to your app, such as by tracking the user using the state parameter. You can find details on how to do this in this documentation.

 

When is this happening?

Apps will begin supporting multiple URLs starting today, and you can set up multiple redirect URLs in your app settings now.

 

New developer accounts created after October 31, 2022 will be required to include at least one redirect URL when creating or updating apps. App creation for developer accounts created before this date will not be affected at this time.

 

All existing apps will be required to include at least one redirect URL to save the settings on February 1st, 2023. This change will affect all apps in all developer accounts.

 

Apps without a set redirect URL will be blocked from authenticating new users starting on May 15, 2023. Existing refresh tokens that were previously created will continue to function, so this will only affect new connections and not existing users of your app.

 

Please let us know if you have any questions by replying below.

2 Accepted solutions
gbintegrations
Solution
Member

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

Hi @cconnors 

 

Thanks for your reply - I'm not sure I was clear enough with my question - the user has to start within our app for the correct context state param that we would set before we call the authorize endpoint. 

 

So thats why I was asking if the install url (oauth) is available to the customer directly, by setting a redirect_uri - does that enable some Install button on the marketplace or something that if clicked the user would start authorize flow from Hubspot.

 

Having spent some more time understanding the Install button on the marketplace, I think I've answered the question, it looks like the Install button on the marketplace is actually a specific link you specify in the Listing info of the app and isn't the same as the Install app (oauth2) link automatically generated from the redirect_uri, that was the confusion I was having, and thought that setting that would alter/enable the Install button to start auth flow in Hubspot first. That isn't the case, so we're good.

View solution in original post

0 Upvotes
cconnors
Solution
HubSpot Employee
HubSpot Employee

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

Ah, sorry about that. 

Yes, the marketplace listing url does not need to be the same as the oauth/authorize url. 

 

The redirect_url you set on the app's oauth settings is independent of any marketplace listing.

 

Sounds like we're all set now though. Let me know if you have any further questions.

View solution in original post

0 Upvotes
8 Replies 8
gbintegrations
Member

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

Hi,

 

We are reviewing the changes required to add redirect_uri which is fine and clear, however we've noticed that adding that then creates an app Install URL which starts from Hubspot and that connection flow won't work.

 

The questions we have is;

1. Is this link publicly available to anyone ? Or via the Install app button in the marketplace ?

2. If the answer to 1 is yes, can we remove the app install url from Hubspot ?

 

The reason we ask is that for our app it doesn't make sense to install via Hubspot because its not a plugin for or in Hubspot and only works starting from our app.

0 Upvotes
cconnors
HubSpot Employee
HubSpot Employee

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

Hi.

 

Regardless of where the user installs the app from, they are sent to a link like https://app.hubspot.com/oauth/authorize?client_id=00000000-0000-0000-0000-000000000000&redirect_uri=...which starts the oauth process with HubSpot. Then they are forwarded to a redirect_url that you own to complete the oauth handshake. See https://developers.hubspot.com/docs/api/working-with-oauth for more info.

 

You should have received an email with more detailed instructions and a link that will suggest redirect urls (like https://www.example.com/my-oauth-redirect) that you need to add to your app's BasicInfo Auth settings page within HubSpot.

 

If you have further questions, feel free to post and even tag me in our hubspotdev.slack.com workspace and I can assist further.

0 Upvotes
gbintegrations
Solution
Member

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

Hi @cconnors 

 

Thanks for your reply - I'm not sure I was clear enough with my question - the user has to start within our app for the correct context state param that we would set before we call the authorize endpoint. 

 

So thats why I was asking if the install url (oauth) is available to the customer directly, by setting a redirect_uri - does that enable some Install button on the marketplace or something that if clicked the user would start authorize flow from Hubspot.

 

Having spent some more time understanding the Install button on the marketplace, I think I've answered the question, it looks like the Install button on the marketplace is actually a specific link you specify in the Listing info of the app and isn't the same as the Install app (oauth2) link automatically generated from the redirect_uri, that was the confusion I was having, and thought that setting that would alter/enable the Install button to start auth flow in Hubspot first. That isn't the case, so we're good.

0 Upvotes
cconnors
Solution
HubSpot Employee
HubSpot Employee

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

Ah, sorry about that. 

Yes, the marketplace listing url does not need to be the same as the oauth/authorize url. 

 

The redirect_url you set on the app's oauth settings is independent of any marketplace listing.

 

Sounds like we're all set now though. Let me know if you have any further questions.

0 Upvotes
WNewing
Member

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

I'm wondering what the reasoning is for enforcing static set of specific redirect URLs?

 

I understand the benefit of making this a required field but doing so without support for dynamic urls seems overly restrictive. Is there any talk of allowing for a redirect_uri that allows for dynamic variables to be defined within it, etc?

0 Upvotes
durette
Participant

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

We have a private server-to-server application that retrieves form submissions and copies them to our ERP system. It doesn't redirect and has no need to do so. What are the best practices for such a scenario?

KWong2
Member

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE
Actually, we already build an application integrated with hubspot oauth.

In our application, we have dynamic params org_uuid in our redirect_uri, like this

http://localhost:8092/api/integrations/hubspot/callback?org_uuid=f1234567-67df-42d8-a1e8-7dd4a654321...

Since org_uuid can be changed in each user sign-in, we MUST put empty string in configuration so that the system can allow dynamic params in the redirect_uri; otherwise the later token endpoint call will return error.

KWong2_1-1673575686746.png

 



So, after 1st Feb 2023, what can we do to let token endpoint can accept redirect_uri with dynamica params org_uuid??

This is very emergent, if we have no solution, our production application will be down after 1st Feb 2023 😞


Thanks
Dadams
HubSpot Employee
HubSpot Employee

Upcoming: Public apps will require a Redirect URL in the auth settings

SOLVE

Starting on April 3, 2023, we will no longer support dynamic URLs, so you will need to switch to using the state= parameter to track the user session instead.

 

This change won't go into effect until April 3, 2023, so your current settings will work till then, and users will continue to be able to connect your app with a dynamic URL up till then.

 

The change on February 1st will only affect the app setting page, as you will no longer be able to update the app settings without setting at least one static redirect URL.