Changes to our OAuth authorization flows

Hello all! For those of you who build OAuth apps for the our API (apps not using a Personal Access Token), please take a moment to read this post as it may affect how your users authenticate with Asana and how your app gets access tokens.

Deprecation of implicit grant

Asana is moving to follow best practices by removing support for implicit grant in our authorization flows. That is, we are removing support for browser-only auth flows with response_type=token and will only support authorization-code flows. OAuth apps created after 2019-09-24 will not have the option of using implicit grant to get access tokens, and OAuth apps that were created before that date may continue to use implicit grant until 2020-01-14. After the January deadline, no apps will be permitted to use implicit grant.

Support for PKCE

To further the security of our authorization flows, we’ve added support for Proof Key for Code Exchange (PKCE). This extension to OAuth provides a mechanism to ensure that the user and app that start an auth flow are the same as the user and app that finish the flow, helping to prevent malicious misdirections of Asana access tokens. While we aren’t currently requiring all apps to use PKCE, we strongly recommend that apps do so to provide top-notch security for their users.

As with most deprecations, we will be reaching out directly to developers that are currently using implicit grant to alert them of the upcoming change, and we will be releasing additional materials both in this thread and in our documentation to help developers migrate. Please let us know if you have any questions or concerns, and we’ll respond in this thread to help.

1 Like

I completely missed that announcement, all my apps are broken today :scream: I thought there was a warning by email, most developers don’t read the forum do they?!

Sorry but there is something broken in your workflow. Neither did I receive any warning, nor any documentation was released here…

Hi everyone,

We on Asana’s Developer Relations team just wanted to reach out on this thread to note that, while we intended to send an email in advance of this deprecation to the applications that would be affected, we failed to do so. There are a number of reasons why this happened and we’re digging into it to make sure we capture the root cause, but from the outside we acknowledge that this wasn’t a great developer experience.

We know there weren’t a large number of developers or Asana users who were affected on the grand scale of things, but maintaining a supportive platform for all of our developers is something we care about at Asana. Every app is important. We’re working through ways to make sure we can get in front of developers with updates. as our platform continues to evolve.

The best location that currently exists for staying up to date with Asana’s platform is this category #developersAPI:platform-news; this is the “News Feed” for Asana updates from our team. In fact, the software that we use Discourse even allows these topics to be consumed as an RSS feed to pull into your favorite news reader - just add a .rss to the end of the URL like this: https://forum.asana.com/c/developersAPI/platform-news.rss

We’re considering better ways to get in touch with developers in the future than channels we know are only partially effective (We’re all busy folk, and email / forum posts have a tendency to fall by the wayside) so keep an eye out for more effective communication in the future. In fact, keep an eye out here in the near future to participate in a survey for which of our proposed solutions will work best for getting in touch with you!

For anyone who is caught by this deprecation, we believe we should have sent you an email by this point in time. If you missed it or if you want to reach out with a concern or feedback feel free to email us at devrel@asana.com and we’ll take a look.

4 Likes

Is there any chance you can move this deprecation a month forward to give developers a chance to fix this?

1 Like

@Steve_Tapley, based on the magnitude of the impact this has had and the fact that it’s a security-driven deprecation we’ve decided not to delay the deprecation across our whole API; however, we can temporarily enable certain apps (on a case-by-case basis) to have access until 1/28 at which time the deprecation will be API-wide. (I received your email; your app should now be re-enabled for this time period.)

1 Like

Hmm, if only there was an app like Asana that you could use to manage tasks and timelines like this…