Streaming live at 10am (PST)

OAuth Scope for Site Only Access


#1

Hello! I was asked to tag @nathan in this question.

We're building out our OAuth integration and the OAuth documentation doesn't list the supported OAuth scopes. It seems to default to granting access to the entire account (and all the sites), but we're looking for individual access tokens for individual site integrations. Is there a scope we can specify to only ask for access to one site? The screenshots of the Zapier integration seem to be closer to what we're looking to accomplish.

Thanks for your help and please let me know if my question needs to be clarified.


#2

Hi Luke

We currently don't have support for selecting specific sites for access from an oauth integration.

However, I actually did build out the API with that use case in mind, so it should be fairly straightforward for us to implement.

I will look at getting this out ASAP.


#3

Thank you! It seemed from the Zapier integration that it would be possible to only grant access for one site. Without that feature, we'd have to add another step in our system to show all the sites for that user and have them pick the one they want to integrate FoxyCart into. If we can avoid that step and have the user select the single site on your end, that would be great. That also limits the exposure to just grant permissions for one site and one site only which is ideal from a security perspective.

Thank you Nathan. I look forward to hearing more about this.


#4

It's been deployed! The authorization page now includes a list of a user's sites so they can select which specific sites they want to include instead of granting access to all sites in their account. Let me know if you have any issues or questions with it.


#5

Does this mean we can partially handle a user database with WF and Zapier ?


#6

I'm a bit confused by your question - the change requested here is unrelated to Zapier. It was a request for the ability of an oauth authorization to limit its scope to a specific site, as opposed to the authorization having access to all sites.

In practice, this means the "permission request" page of the oauth application flow had an additional section added to it where users can select which sites an application has access to:


#7

Thanks for the clarification, @nathan :slight_smile: