Security redirect endpoint for oauth

grietVermeesch · ‎Sep 8, 2021

I have built an app to enable oauth and the usage of webhooks to simplify the traffic between hubspot and our company application. I have defined a number of endpoints in our company application to receive webhook calls and a redirect uri to enable oauth. My question relates to the options for securing those endpoints.

I understand that the only way to secure endpoints for webhook calls is verifying the x-hubspot-signature that is added to the header of those calls. However, I don't find any information on how to secure the redirect uri. It will not be targeted by a fixed ip, so ip allowlisting is not an option. No x-hubspot-signature is added to calls by the Oauth server to the uri in our application that receives the code to create an access token. So basically anyone can enter our application via the redirect uri?

Teun · ‎Sep 10, 2021

Hi @dennisedson and @grietVermeesch ,

Really good question! As we currently only have private integrations that we use for our clients, we make the callback URL temporarily available to retrieve the authorization token and store that as soon as we have it. We then exchange it for the refresh and authentication tokens. So for us, the redirect URL is not available unless we want it to be available.

The current oAuth2 setup in HubSpot allows anyone to install the integration / app who has the install URL available. I am not sure you can prevent this from happening. You could prevent the function that changes the authorization token for auth and refresh tokens from running by checking the Client ID that is being passed together with the authorization token.

@dennisedson Might be a good functionality to add, give the developer the option to define what portal ID's can use the the install URL in the app settings page.

Learn more about HubSpot by following me on LinkedIn or YouTube

✅ Did my answer solve your issue? Help the community by marking it as the solution.

View solution in original post

Teun · ‎Sep 13, 2021

Yeah! That should work for now.

Learn more about HubSpot by following me on LinkedIn or YouTube

✅ Did my answer solve your issue? Help the community by marking it as the solution.

Teun · ‎Sep 10, 2021

Hi @dennisedson and @grietVermeesch ,

Really good question! As we currently only have private integrations that we use for our clients, we make the callback URL temporarily available to retrieve the authorization token and store that as soon as we have it. We then exchange it for the refresh and authentication tokens. So for us, the redirect URL is not available unless we want it to be available.

The current oAuth2 setup in HubSpot allows anyone to install the integration / app who has the install URL available. I am not sure you can prevent this from happening. You could prevent the function that changes the authorization token for auth and refresh tokens from running by checking the Client ID that is being passed together with the authorization token.

@dennisedson Might be a good functionality to add, give the developer the option to define what portal ID's can use the the install URL in the app settings page.

Learn more about HubSpot by following me on LinkedIn or YouTube

✅ Did my answer solve your issue? Help the community by marking it as the solution.

grietVermeesch · ‎Sep 13, 2021

Ok thank you for your help. So I make the endpoint briefly available just to receive the first token, and close it after that.

dennisedson · ‎Sep 9, 2021

@Teun , any thoughts here?

APIs & Integrations