OAuth Like User-Agent Flow... But There's No User Endpoint... How to Configure? (Actually: Self-handled Authorization for OAuth APIs / Offline Access on Behalf of User)

Thank you thank you thank you :heart: :heart: :heart: :heart: :heart:

I’ve been on this for quite a few hours now, and just adding openid profile fixed it for me!

@keith thanks so much for the detailed write up.

I am running into exactly the same issue and trying to connect to a service which doesn’t provide the User info in their response body that contains their access token.

They do provide a company id which in theory is tied to the user id eventually but unfortunately there is no way in Bubble to change those fields of ID and Email to just fetch ID and Company Name so that I could tie them back to the User myself (It is ok in my case if the user needs to log on first using password to my Bubble app before providing access to the external system).

Haven’t been able to fully replicate all the steps you are describing but so far this is the best description I found that helps with this exact issue.

So just wanted to say Thanks.

I know this thread is ancient, but for those who stumble upon it looking for an answer that uses bubble’s Oauth User Agent Flow (e.g. the oauth is your only authentication method for your app), you can “spoof” the calls. I did a similar thing when I needed to skip step one due to the authorization occurring prior to the user ever reaching the app.

Essentially, set up an API endpoint to return two fields, a unique id and an email. You can generate these however you see fit. Point step 3 of your oauth to your endpoint and to the field names. I did this with a third-party api provider, but you might be able to use bubble public-facing api workflows.

2 Likes

@trygumball

can you please share that scope value link. Do we need create open id connect profile over there? As i want a id_token which is sent by google. Will openid connect help in that case?

This answer is still relevant. Thank you @austin3. I was just getting to the ‘OMG I SUCK’ moment when I read your helpful comment. I swapped UserID and Email for two other user-specific keys (from a whoamI) and I’m in business.

I was not having a productive day before I read your comment. Much gratitude :heart:

1 Like

Hey @austin3 , would you mind going into a little bit more detail on how to do this?

Hi @manipaje , would you mind sharing how you did this? I’m stuck in the same situation currently.

I ran the ‘whoami’ api call to the third part provider. In the response there’s two different fields (such as 'firstname and ‘lastname’) I plugged these responses in, instead of UserID and Email and because I got a response from the api server it allowed me to continue. In my example I put ‘firstname’ in the User ID key path and I put ‘lastname’ in for User email key path. Then it all worked, magic! (luckily I don’t need or use the email and user id key paths… that I know of :wink:

(sorry for the delay, I missed the notification)

Really appreciate the response!

Throwing a note into here because it might help someone else. I was connecting Miro via API and struggled with the same problem (again) so I made a backend WF to give some nonsense for it to satisfy this problem. Here’s how it works:

Set up your API conector to the external service as needed - then add this:

User profile endpoint:
https:///api/1.1/wf/get_user
User ID key path: response.user_id
User email key path: response.user_email

User ID key path
then in your backend workflows create a new API workflow:

API workflow name: get_user
Expose as public API: yes
This workflow can run without authentication: yes
Trigger workflow with: GET
Response type: JSON object

(no other settings added/changed)

Add ‘Return data from API’ to this workflow:

Key: user_email
Type: text
Dynamic value: Current date/time in ISO format converted to MD5 hash

*this was my way of generating a random string, your milage may vary! :slight_smile:

Key: user_id
Type: text
Dynamic value: Current date/time in ISO format converted to MD5 hash append “_miro”

*another dynamic string of nonsense, tbh I just wanted two random values - this method might need to improve.

This enabled me to have a social login button (in debug_mode=true) on for a page, it got my app approved in miro and then it allowed me to add more API calls back in bubble’s API connector plugin.

It’s a such a simple spoof that it’d be an ace ‘feature request’: ‘spoof a user’!?

1 Like