Harvest External Auth

I’m having difficulty getting External API auth working with Harvests OAuth2 and was hoping someone could possibly help. It seems there is no debugging available for the auth providers which would be really useful to have (unless I’m missing it?), so as an aside it would be ace to raise that as a feature request.

I’m getting the could not retrieve access token from the provider error after authorising the app on Harvest; I have no other info available. I have checked and double checked that the provider secret is set and verified the action paths against Harvests OAuth Authentication Documentation. The redirect url is set to https://id.atlassian.com/outboundAuth/finish as per the Forge External Auth Guide.

My providers and remotes are like so:

providers:
  auth:
    - key: harvest
      name: Harvest
      type: oauth2
      clientId: <client-id>
      remotes:
        - harvest-api
      bearerMethod: authorization-header
      actions:
        authorization:
          remote: harvest-auth
          path: /oauth2/authorize
        exchange:
          remote: harvest-auth
          path: /api/v2/oauth2/token
          resolvers:
            accessTokenExpires: expires_in
        retrieveProfile:
          remote: harvest-auth
          path: /api/v2/accounts
          resolvers:
            id: user.id
            displayName: user.email
remotes:
  - key: harvest-auth
    baseUrl: https://id.getharvest.com
  - key: harvest-api
    baseUrl: https://api.harvestapp.com

As per the Harvest docs, the flow is as follows:

Initiate auth flow:

https://id.getharvest.com/oauth2/authorize?client_id={CLIENT_ID}&response_type=code

Exchange code:

curl -X POST \
  -H "User-Agent: MyApp (yourname@example.com)" \
  -d "code=$AUTHORIZATION_CODE" \
  -d "client_id=$CLIENT_ID" \
  -d "client_secret=$CLIENT_SECRET" \
  -d "grant_type=authorization_code" \
  'https://id.getharvest.com/api/v2/oauth2/token'

Exchange response:

{
  "access_token":  "{ACCESS_TOKEN}",
  "refresh_token": "{REFRESH_TOKEN}",
  "token_type":    "bearer",
  "expires_in":    1209600
}

I’m stuck on this and would appreciate any help.

1 Like

This is a tricky one.
Our system expects a HTTP 200 response code from the exchange API.
However, the POST to id.getharvest.com/api/v2/oauth2/token is returning a 201 code.

Any non-200 code is treated as a failure on our end.

Ahh interesting. Would it be possible to update the logic to accept a 201 as well?

Hi @JackA, Yes it has been updated to accept 201, can you please try again?

4 Likes

Thank you @MichaelCooper ! Working as expected now!