Custom app rule actions leveraging OAuth


I’ve built this custom Asana app with a custom Rule Actions component to sync data between Asana tasks and another system.

The rule actions are build using AWS Lambda functions behind an AWS API Gateway.

Using the personal access token, everything works like a charm. Now, I’d like to move to using OAuth. I’ve scanned the documentation trying to figure out how rule actions app component could use OAuth and did not find anything related to the type of approach I’m using.

How can a rule action built on top of AWS Lambda function request an OAuth token for the currently logged in Asana user.

How can, from the POST run-action request (or any of the other GET run action end point), request the user to authorize the application to make Asana requests on their behalves?

I tried different approaches to have the user redirected to the Log in - Asana page or surface that page, but given my run action is in a AWS Lambda function, not sure how I can return something to Asana informing I need a OAuth token and need the user to authorize the application, so that I can obtain an OAuth token.

Hi @User_3 ,

In the Asana Developer Console (where you register your app), under Configure > OAuth you should see a field called Custom authentication URL. After the user adds your app to a project, they should be taken to that URL and you can kick off the Asana OAuth flow from there.

There are more details about this here: Building app components

Let us know if that works out for you or if you have more questions.



Hi @John_Baldo ,

here’s more context into my configuration.
I have my Asana app configured following the dev documentation and it has a a single rule action define like in the image.

It’s added to my workspace and I configured the run action on different project sections.

When an Asana task is moved in to a specific section, Asana calls my run action. Initially, on the run-action POST call, I was using my personal access token to make calls back to Asana to get details about the task. Everything worked like a charm. Now I would like to use the OAuth approach instead, so that when I reach out to Asana for details about the task it’s not using my personal access token anymore, but an OAuth token associated with the currently logged in user that moved the task to a different section.

My run-action POST method is implemented as a REST API in AWS API Gateway with a AWS Lambda proxy integration. So a POST /run-action will call my Lambda function, something along the lines of Set up Lambda proxy integrations in API Gateway - Amazon API Gateway.

It’s unclear to me how I could obtain an OAuth token for the user currently in Asana, moving tasks aroun, for which my custom app run-ation gets invoke and ultimately runs my AWS Lambda function?

Hi @User_3,

Thanks for clarifying. Sorry for the delay. I’ve investigated and found that today the user_id associated with the action POST will always be the user who owns the rule rather than the user who triggered the rule.

So to accomplish the scenario you’re describing, you would need to make a follow up call to get information about which user took the action (or get the information from a webhook). You’d also need to prompt them to authorize your app to get an access token so that you can use that token when it’s appropriate.

I’ve logged your need as a feature request. Hope that clarifies the behavior at least.

Thanks for posting,

1 Like

Hi @John_Baldo ,

Thank you for the response and sorry for the delay in replying.

As I understand it, I don’t believe there is anyway from Asana when it invokes my run-action POST method (implemented as a REST API AWS Lambda function) to notify the Asana platform to prompt the user to authorize my app/run action (in order to get an access token) before any of the run actions defined in my Asana app can be invoked. Is that assessment accurate? The user is already logged into the Asana platform.

I believe my only option for now would be to use a Personal Access Token from within my REST API AWS Lambda function, so that when it receive a run-action POST request from Asana, I would use that PAT to connect back to Asana to get the details about the task against which the run action has been called upon.

Is there a way to create a PAT not associated to a specific users, but more a non interactive account? Essentially an account that can query the Asana APIs, but if you logged into the Asana platform, it can’t see any projects or something along those lines?