oAuth 2.0

About

The free oAuth app pack allows you to add API services and obtain access tokens through the oAuth2 process right in Podio using GlobiFlow. This allows the stored access tokens to be used throughout your workspaces in Remote Post/Get actions in GlobiFlow. It puts API services at your disposal.

Security

In order to gain access tokens using the oAuth app, the client id and client secret need to be provided, both which are very sensitive information. It is highly recommended to only allow user access to this workspace to those that have access to create these client ids and secrets. It's best to create new client id and client secrets solely for this app.

The oAuth app does have fields that are used for revoking access tokens. Some of the flows utilize these fields by posting the existing access tokens to a URL. Every time you reauthorize or refresh the access token for the API service, it will try to revoke the previously used access token on your behalf, nullifying any further use for that issued access token. There is a flow that runs each hour checking for expired access tokens and reissues new ones.

But not all API service are the same when it comes to this. For an example, Podio allows you to post an access token to the URL https://podio.com/oauth/token/invalidate with the parameter name of "oauth_token", while Google gets you to make a request to https://accounts.google.com/o/oauth2/revoke?token={token}. Even MailChimp is different, they require you to revoke access tokens directly from your account on their website.

Since API services differ on how they revoke access tokens, you may need to adjust the flows that contain revoking of access tokens.

If you feel your information has been comprised, immediately revoke the access token and reissue new ones.

You can add another layer of security by installing the oAuth Access Tokens app pack. This will give you the opportunity to store the generated access tokens in another workspace where they can be accessed while keeping your client id and client secret private. You will need to have the flows that come with this app pack updated or create new ones to interact with this new workspace.

How To Install

Visit the App Market and click on Get Pack. It's best to install the app pack in a new workspace.

Once installed, Refresh from Podio and the automation flows that work this app pack will automatically be installed.

How To Use

When adding a new API service, you'll need create your client id and client secret beforehand (Eg: https://podio.com/settings/api). When creating these, be sure to set your Redirect URI to secure.globiflow.com. How to create these can be found the API's documentation.

Before you create add your first API service, you'll need to modify the Redirect URI flow and replace the URL inside the custom variable webhook.

You can find the correct URL on the webhook flow Save oAuth Code and replace the above webhook variable with the highlighted red:

After that, you are ready to add your first API Service.

Simply go to the oAuth app in the workspace and create a new item.

You'll need to provide the following:

  1. API Service (Eg: Podio)
  2. Client ID
  3. Client Secret
  4. Authorize URI
  5. Access Token URI

After creating your API service, the authorization link will show up as a comment. You have 30 seconds to click on this link before it is deleted.

You will then be taken to your API's site to grant access and receive a code.



This code will be used on an external GlobiFlow page.

The code is posted to the Save oAuth Code flow via Javascript and saved to the item.

When the code field is updated, an attempt to obtain the access token is done via Remote Post. The access token, refresh token, and other information is saved to the item and the access code removed.

You can reauthorize or refresh the access token manually by updating the Action field.

Flows

Authorize - Creates the authorization link for the user to click on.
Delete Authorize Comment - For security reasons, this flow deletes comments made with the unique authorization link.
ReAuthorize - Manually creates another authorization link to reissue access tokens.
ReAuthorize Notification - This flow can be triggered by other flows to notify you that the API needs to be reauthorized.
Redirect URI - A special external page that you are redirected to that contains the access code that needs to be posted to the access token URI.
Save oAuth Code (Webhook flow) - Saves the access code obtained from the authorization page.
Refresh Access Token - Revokes any current access token and reissues a new one using the refresh token.
Save Access Token - Revokes any current access token and obtains a new one using the access code.
Test oAuth - A test flow if you wish to test a simple API call. Must have Test URI filled in.
Update Access Tokens (By Day or Date flow) - Each hour, this flow checks for any expired access tokens and attempts to obtain new ones using the refresh token.

FAQs

  1. What about oAuth 1.0?
    oAuth 1.0 is slightly different. With oAuth 1.0, you need to send a digital signature using something like SHA1. That's done using something like PHP's hash_hmac() function which isn't available in GF. You could host that function elsewhere and do a remote post to generated your digital signature. But this app pack doesn't support oAuth 1.0 natively.
  2. What about username/password authorization?
    Each API handles username/password authorization for access tokens differently. There isn't any universal standard for it unlike oAuth2, but not everyone follows that to the letter either. These app packs deal solely with the generic use of oAuth2. If enough show interest, I can create a new app for it.
  3. How do I use these app packs?
    Follow the instructions on this page. You'll need to understand how to set up your client id and client secret beforehand, that can be found on your API's documentation
  4. What are the limitations?
    That will depend if your API supports oAuth2 for authorization and what functionality you're looking to use. Something like generating a file with your API in hopes to return it to Podio may not work.
  5. I'm getting the GlobiFlow home page after granting access!
    You're most likely forgetting to set the Redirect URI to secure.globiflow.com when you set up your client id and client secret. This is done on the API's site and not in Podio or GlobiFlow.
  6. Why doesn't my API return a refresh token?
    Not all APIs (Eg MailChimp) refresh tokens or even invalidate them through their API.If there isn't any refresh token or expiry date being returned, that's on the API.There may need to be some adjustments to some of the flows, but that's unlikely.
  7. Where can I get the URIs that are needed to create an API Service?
    Check your API documentation. Most are the same, but it's best to double check what they are.
  8. Can you hep set this up for me?
    Please Create a Work Order and I'll get back to you as soon as I can.

Support

Unfortunately we do not support any flows outside of this app pack, which are listed above. This also includes using the generated access tokens made by flows in this app pack. It's best to refer to the API's documentation to understand how to use the generated access tokens with their service.

If you wish to have us install this app pack for you or modify the flows that go with it, please Create a Work Order and we'll get back to you as soon as we can.