About Zapier Community
New to our Community? Get to know more about our space and how to make the most of your time here.

Code of Conduct Community FAQ's Zapier Common Questions What to Expect

Get Started With Zapier
New to Zapier? We have got you covered with our Zapier 101 Resources.

Zapier Essentials

Get Support
Have a question? Let's get you an answer!

How Do I...? Troubleshooting Code & Webhooks Developer Zone

Other Help Resources
Wait, there's more! Check out these Community sourced spaces for additional resources.

Zapier Help Center Hire an Expert

Zapier Products
Learn more about Zapier's new products.

Zapier Tables Zapier Interfaces

Zapier Reading
All of our best learning resources can be found here.

Featured Articles Show & Tell AI Hub Zapier Tools Hub

Learning Groups
Excited to meet other builders? Check out our interest areas full of doers, dreamers, and in-betweeners.

User Groups

Other Learning Resources
Some of our favorite additional ways to upskill your Zapier knowledge.

Zapier Learn Zapier Blog Zapier Webinars

Product Updates
Check out what is new and upcoming with Zapier with our regular product updates.

Product Updates

Early Access Program
Want to join Early Access? Learn more here.

Best answer

Can I pass custom data with the Access Token Request (OAuth v2)?

  • 28 October 2022
  • 4 replies
  • 647 views
E
Userlevel 1

Hey everyone 👋

I’m implementing oauth2 authentication with the Zapier Platform UI, and I can’t figure out how to access custom query parameters in the “Add OAuth v2 Endpoint Configuration” step.

The framework that I use for oauth2 requires every access token request to have a code verifier, which is just a huge string. I pass this as a “code_verifier” param along with the “code” and “state” in the Zapier redirect URL:

https://zapier.com/dashboard/auth/oauth/return/App170464CLIAPI/?code=TSyXifW95nFZb3bgInuVLVsA2GBLgS2xKAP2zoLP&code_verifier=OUFMQklKVDg4VlNKQThURldDQkhUU0MyR0lCREVOT1A4MVU2V1FHME1JSTFWSVNPSQ==&state=1666972916.326372427372

I can then access the code params from bundle.inputData.code. But when I try to use bundle.inputData.code_verifier I get an empty string (same with every custom param):

I’ve found a quick workaround for now: I combine both values into one huge string separated by “AND”, and put them into the “code” param. Then I use split(“AND”) method:

It works, but it’s definitely not the cleanest solution :) I wonder if I can just access the code_verifier directly.

icon

Best answer by iansco 3 November 2022, 04:26

View original
This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

4 replies

iansco
Userlevel 2
Badge +1

Hi @Elis Gubarev! 👋

It works, but it’s definitely not the cleanest solution :) I wonder if I can just access the code_verifier directly.

Based on the code_verifier reference, does the authorization server use PKCE? If so, Zapier doesn’t yet have built-in support for OAuth 2 authorization code flow with PKCE, I’m sorry about that 🙁 

PKCE support is something we’re working on but we don’t have a timeline on when it will become available.

Although the approach you’re using enables successful authentication, it seems this approach might circumvent the security that PKCE is intended to provide, as per the details in this post:

While I haven’t been able to find any record of someone successfully implementing PKCE support, that might be possible if you build an integration using the Zapier Developer CLI as it will give you more control over authentication and access to more functionality: 

If the authorization server isn’t actually using PKCE, please could you confirm where code_verifier comes from? For example, is it returned by the authorization server as a querystring parameter/value when it makes a request to Zapier’s redirect URL? 

Thanks!

E
Userlevel 1

Hey @iansco 

If the authorization server isn’t actually using PKCE, please could you confirm where code_verifier comes from?

I generate code challenge and code verifier on the backend after the user authorizes Zapier. The code challenge is stored on the server, while the code verifier is passed to Zapier as a query parameter in Zapier’s redirect URL. When Zapier requests an auth token, the server compares the code verifier and the code challenge.

So if understand correctly, the code verifier isn’t meant to be passed openly via query parameters? If so, I think the best approach would be to remove PKCE from my auth flow until Zapier adds native support for PKCE.

iansco
Userlevel 2
Badge +1

Hi @Elis Gubarev,

So if understand correctly, the code verifier isn’t meant to be passed openly via query parameters? If so, I think the best approach would be to remove PKCE from my auth flow until Zapier adds native support for PKCE.

No, not in the way that it’s being passed here, i.e. from the authentication server to the client (Zapier). When PKCE is supported, Zapier will generate the code-verifier on our end as the “client” in the flow: https://www.oauth.com/oauth2-servers/pkce/authorization-request/

...the code verifier is passed to Zapier as a query parameter in Zapier’s redirect URL

Thank you for the confirmation. Could you try using bundle.cleanedRequest.querystring to see if the parameter is made available there, as per our example app: https://github.com/zapier/zapier-platform/blob/master/example-apps/oauth2/authentication.js#L13

Related help docs: https://platform.zapier.com/docs/advanced#rawrequest-and-cleanedrequest

E
Userlevel 1

Hey @iansco 

bundle.cleanedRequest.querystring seems to work, thanks 🙂

Terms & Conditions