OAuth2
Here are all details about configuring Connectors to authenticate with OAuth2
Introduction
Before getting started with further details, it is very helpful to understand on a high level how OAuth2 works, this will make the following details easier to grasp and helps tremendously with troubleshooting.
Redirect URI
The redirect URI is always https://api.locoia.com/v1/oauth2/callback/
connectorname
for Connectors with one word names. For connectors with multiple words, spaces are replaced by %20
.
Examples
HubSpot:
https://api.locoia.com/v1/oauth2/callback/hubspot
Teamwork CRM:
https://api.locoia.com/v1/oauth2/callback/teamwork%20crm
Header
The header for OAuth2 almost always looks the same for all Connectors:
Authentication Configuration
For APIs that follow the OAuth2 standard without any deviations, the Authentication Configuration looks likes this:
For APIs that use scopes, scopes can be added in the extra_authorization_url
dictionary, separated by spaces, like: "scope": "scope1 scope 2"
.
OAuth2 URLs
step1_authorize_url
is used for opening the initial authorization website (always aGET
request)step3_access_url
is the request that is being made in order to receive the access token. This is by default aPOST
request with content-typeapplication/x-www-form-urlencoded
.token_refresh_url
will be deprecated for regular OAuth2 use and only added if the refresh URL differs from the regularstep3_access_url.
Additional query/body parameters
As shown in the Authentication Configuration above, additional query/body parameters can be added to the different OAuth2 URLs:
extra_authorization_url
includes query string parameters on the initial authorization request to the urlstep1_authorize_url.
extra_access_url
includes query string parameters on the subsequent token and refresh request to the URLstep3_access_url.
Dynamic base domains
To make the base domains of the URLs flexible, user input can be used together with Jinja rendering, as documented here in detail.
Handling OAuth2 deviations
In order to handle OAuth2 deviations, additional query parameters in the URLs can be used, as well as these parameters, which can be set in the config
dictionary:
client_id_and_secret_in_headers
(any value) - This will send the client id and secret as Basic Auth in the headers for the access request.alternative_code_key
- This will overwrite the default keycode
for the access code valuealternative_client_id_key
- This will overwrite the default keyclient_id
for the client id valuealternative_client_secret_key
- This will overwrite the default keyclient_secret
for the client secret valuegrant_type
- This will add grant_type as an extra query/body parameter - (Deprecated)accept_header
- This will send anAccept
header with the specified valuecontent_type
- This will overwrite the defaultContent-Type
valueapplication/x-www-form-urlencoded
. If the content type is set toapplication/json
, the body will be converted to JSONrequest_method
(only acceptsGET
) - This will overwrite the default methodPOST
and send the parameters as query, instead of body parametersaccess_token_path
- Overwrites the default pathaccess_token
to retrieve the access token from the response
Additionally, the following field can be set in the auth_form
as user input - (Deprecated)
alternative_scope
- This gives users the option to specify scopes and will overwrite any scopes set in thescope
query parameterclient_id
- This is needed for Connectors that require user to create their own OAuth2 app and will overwrite theclient_id
from theconfig
(See Snowflake rendering for a detailed example)client_secret
- Same as theclient_id
, but for theclient_secret
Other fields, can also be set in the auth_form
, however, they have to explicitly be added to the config
in order to be rendered and used.
Examples
HubSpot - Standard with Scopes
The Authentication Configuration is the standard one, with specific scopes:
The header is the standard header.
TikTok - Alternative client keys and access token path
TikTok has a few deviations from the OAuth2 standard:
The client id key is
app_id
instead ofclient_id
, thusalternative_client_id_key
needs to be set accordinglyThe client id key is
secret
instead ofclient_secret
, thusalternative_client_secret_key
needs to be set accordinglyThe access token is returned inside a dictionary called
data
, instead of in the 'root' dictionary, thusaccess_token_path
needs to be set accordinglyThe base domain for the access url, is always
https://business-api.tiktok.com/
, even though the base domain for the endpoints itself is based on the environment:https://{% if environment is defined and environment == 'Sandbox' %}sandbox{% else %}business{% endif %}-api.tiktok.com/open_api/v1.2/
The Authentication Configuration thus needs to be setup like this:
Last updated