Changes to our OAuth authorization flows

Hello all! For those of you who build OAuth apps for the our API (apps not using a Personal Access Token), please take a moment to read this post as it may affect how your users authenticate with Asana and how your app gets access tokens.

Deprecation of implicit grant

Asana is moving to follow best practices by removing support for implicit grant in our authorization flows. That is, we are removing support for browser-only auth flows with response_type=token and will only support authorization-code flows. OAuth apps created after 2019-09-24 will not have the option of using implicit grant to get access tokens, and OAuth apps that were created before that date may continue to use implicit grant until 2020-01-14. After the January deadline, no apps will be permitted to use implicit grant.

Support for PKCE

To further the security of our authorization flows, we’ve added support for Proof Key for Code Exchange (PKCE). This extension to OAuth provides a mechanism to ensure that the user and app that start an auth flow are the same as the user and app that finish the flow, helping to prevent malicious misdirections of Asana access tokens. While we aren’t currently requiring all apps to use PKCE, we strongly recommend that apps do so to provide top-notch security for their users.

As with most deprecations, we will be reaching out directly to developers that are currently using implicit grant to alert them of the upcoming change, and we will be releasing additional materials both in this thread and in our documentation to help developers migrate. Please let us know if you have any questions or concerns, and we’ll respond in this thread to help.

1 Like