I was able to get the Authorization Code Grant flow working. Someone comes to my page, clicks the link to authorize https://developers.asana.com/docs/user-authorization-endpoint is redirected back to my page, and then I make a call and create a task.
The problem is, I am trying to make this process smoother. I’ve noticed that after I click to authorize one time, I often don’t have to do it again until I’m logged out. Is there a way to detect if a person is already authorized? For example, someone comes to my page, clicks the link to give my app permission, leaves and comes back 3 days later. Is there a way to check if my app still has permission? I have noticed that I often only have to enter my credentials once every so often, and I’m am trying to avoid having to click the authorize link every time.
I’m trying to have them submit a form which will create tasks in a project, but with this flow, it seems impossible unless I have them authorize every time. Using a PAT works, but it’s not my first choice as it is less secure.
Update. I thought maybe I could add it to the form action, but that doesn’t work because it adds other parameters. Ideally, I’d like to use AJAX instead of manually submitting the form.
Maybe @Phil_Seeman can help. I am building an app myself, and we are storing the auth token as well as the refresh token, and regenerate an auth token from the refresh token if it is expired. Not sure if that helps…
@Bastien_Siebman is right, you need to store the refresh token, and try to get a new auth token from it when your user come back. There’s no need to store the auth token for a long time, because it expires after only 1 hour.
Thanks guys. New problem today. I thought I had gotten this to work without using a refresh token. When they come to the page, if there is not a code in the URL, I do a redirect to force them to login, then redirect them back to the page. But for some reason when they submit the form, the API doesn’t send the task through. It works for me, but not for other users. I wonder if it’s because I’ve hard coded the code challenge and code verifier?
Bastien, I’m still having trouble with this. My flow is all wrong. I’ve been using the code I get from the initial user interaction to then get auth token and submit. Because of this, after 15 minutes code is invalid and submission is failing.
So I need to change my flow. The thing I’m unclear about is, how do I detect if the user has previously been to my page and has a prior refresh or access token? Assuming someone has been to my page and previously used my form, they would have gone to the login screen, logged in and given my page permission on their behalf. I’ve got all that, but what I can’t figure out is if they come back to my page, how do I know if the’ve already been through that process?
To be clear, I want to detect if I know the user already, so that I don’t have to have them reauthenticate. I can’t seem to figure out how to do that.
To @Bastien_Siebman’s point, you really need some sort of data store on your end to store your users’ credentials. It sounds like you don’t have one currently?
Thanks Phil, yes I definitely can store them, but what I can’t figure out is how to know it’s the same person when they return. I can definitely use a session or browser cookie, just not sure that’s secure. Overnight I came up with the idea to store a cookie with their code_verifier, since that should be unique, and maybe the refresh token as well.
My solution for now (pending your thoughts) is to store the refresh token in a session cookie. When the user comes back, if the refresh token is there, it means they must have been to my page before and I’ll attempt to use that refresh token to get a new access token.
The thing that is now blowing my mind is… it seems I need a code even with a refresh token?? I thought a refresh token alone would get me a new access token, but the docs don’t read that way.
I tested in postman and sure enough, I need a code even with a refresh token. Considering this, I guess I don’t see the point of using a refresh token at all. Why not just use the same POST call every time to get the initial access token. Using a refresh token means I have to make a third block in my if/else and add another parameter to what is essentially exactly the same as my initial access token request.
Oh wait. I’m an idiot. When I change the grant_type to refresh_token I didn’t need the code or code verifier any longer.
Refresh token is useful if you need to make requests even though the user is “not there” anymore. If you only need to act when they use the app, indeed no need for a refresh token.