Assistance with OAuth Flow for Multiple Front Users

Hello Team,

We are currently implementing the OAuth flow in our application to support multiple Front users. Our application uses a common redirect URL to receive the OAuth token after the user grants permission. However, we are facing a challenge in identifying to which user's request the token was sent.

Could you please advise on how to correctly identify the user associated with each token received through the common redirect URL?

Thank you for your assistance.


Karthik Vishwambar

5 replies

Userlevel 4
Badge +8

Hi @kvishwambar , It’s important to note that OAuth tokens for Front are created scoped to a Company resource, and are not associated with any individual Teammate/user. The token permissions also can currently access only shared resources and do not have access to private resources for any individual teammate

When a user steps through your OAuth process, you would likely want to connect the generated Front access+refresh tokens to their account via your own logged-in session information. 

Please let us know if you have further questions

Userlevel 5
Badge +8

@kvishwambar Please vote for this idea so that additional scopes get added to the OAuth2 authorization flow. 

Thank you, @jason. I added a workaround with the state field. I’m all set now.

@Javier - Developer Relations I agree with this idea.

@Javier - Developer Relations 

In Front, do you have any feature where the host application in a plugin can access data, such as the email of the user who is logged in?

Also, currently in some of the URLs that we configure, like webhooks, redirect URLs, and side panel URLs, is there a way we can make the URL dynamic, something like {0}, and pass the value based on some variable?

If there are such ideas discussed, I can vote for those as well. Thanks.

Userlevel 4
Badge +8

Hi @kvishwambar , this is already accessible; one of the properties in the Context object your app receives as a teammate is using your plugin is a Teammate object, which provides details about the current teammate (including their email). 

Alternatively, you may opt to have teammates step through your own login / auth process and set something like a cookie so you know who is using this app. 


For the second part (dynamic URLs), this is not supported for Plugins (you should display all content in a single-page app, and use app state to manage what is being displayed, rather than the URL. 

If there’s a specific use-case you have in mind for using dynamic URLs please do feel free to create a feature request at