About Zapier Community
New to our Community? Get to know more about our space and how to make the most of your time here.

Code of Conduct Community FAQ's Zapier Common Questions What to Expect

Get Started With Zapier
New to Zapier? We have got you covered with our Zapier 101 Resources.

Zapier Essentials

Get Support
Have a question? Let's get you an answer!

How Do I...? Troubleshooting Code & Webhooks Developer Zone

Other Help Resources
Wait, there's more! Check out these Community sourced spaces for additional resources.

Zapier Help Center Hire an Expert

Zapier Products
Learn more about Zapier's new products.

Zapier Tables Zapier Interfaces

Zapier Reading
All of our best learning resources can be found here.

Featured Articles Show & Tell AI Hub Zapier Tools Hub

Learning Groups
Excited to meet other builders? Check out our interest areas full of doers, dreamers, and in-betweeners.

User Groups

Other Learning Resources
Some of our favorite additional ways to upskill your Zapier knowledge.

Zapier Learn Zapier Blog Zapier Webinars

Product Updates
Check out what is new and upcoming with Zapier with our regular product updates.

Product Updates

Early Access Program
Want to join Early Access? Learn more here.

Question

Zapier Oauth 2.0 custom variable

  • 15 March 2022
  • 4 replies
  • 205 views
H

Hello,


Im working on Zapier Oauth 2.0 implementation and I need to use a custom variable from
Authorization URL step to Access Token Request step. Is this possible ?

 

 

 

Please see attachments for more details.

 

This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

4 replies

Z
Userlevel 7
Badge +9

I’m assuming this is for PKCE support? Unfortunately, I think you’re going to be blocked right now. Earlier discussion on the topic here:

 

 

Does the API you’re using give you the option of client id/secret only, or is it forcing you to implement PKCE?

H

Yeah, I have to use PKCE to call some endpoints which necessit more privileges.

 

Maybe I can pass the code_verifier (encrypted of course) in the URI and retrieve it by bundle.inputData or something like that ?

 

What do you think

Z
Userlevel 7
Badge +9

I’m concerned this approach will circumvent the security provided by PKCE. If you have enough control over your auth provider to implement a non-standard flow like this, I’d imagine you have enough control to enable the standard client-id/client-secret configuration instead. And this would be my recommendation until Zapier adds proper PKCE support to its OAuth implementation.

Note that your Zapier integration is not a public client, in OAuth 2 authorization code flow terms. Check out environment variables as a secure way to configure, store, and use client id and secret. PKCE provides a clever way to secure public OAuth 2 authorization code flow clients, like mobile apps and single page apps, where that’s not possible. 

 

H

Alright, Thank you for your answer

Terms & Conditions