Hi,
I can’t get the syntax right. How can I get the refresh token using the node API? I have an access token from the OAuth callback though.
Thanks!
cc @Diakoptis
I’m facing the same issue. I fetch the bearer token from OAuth callback. but can’t get the refresh token.
Thank you for your response.
I use this Api to fetch refresh token. But it fails everytime. What should i pass in the request body? is there any format?
https://app.asana.com/-/oauth_token?client_id=" + ASANA_CLIENT_ID + "&redirect_uri=http://localhost:3000/auth/asana/callback&response_type=code
Try this:
https:// app.asana.com/-/oauth_token?grant_type=refresh_token’ + ‘&client_id=’ + client_id + ‘&client_secret=’ + client_secret + ‘&refresh_token=’ + refresh_token
I will try when I have the time, thanks a lot
@Diakoptis the given url includes the refresh token while I am stuck without a refresh token at all 
I don’t understand how to get it. I think I am going to reverse engineer the PHP library that allows it…
FYI to login the library makes a request to
https://app.asana.com/-/oauth_authorize?client_id=XXXX&response_type=token&redirect_uri=XXXX&scope=default&state=XXXX
and as a result I get
access_token=XXXXX&token_type=bearer&expires_in=3600&data=&state=XXX
1 Like
I am using the Implicit Grant workflow…
According to this page Implicit Grant — OAuthLib 3.2.2 documentation refresh token are not supported with Implicit Workflow, I will have to do a workaround
1 Like
Hi all, sorry I’m a bit late to the game, but you seem to be getting it sorted 
The general issue here is that there are 2 types of OAuth authorization workflows: “Authorization Code Grant” and “Implicit Grant”, and unfortunately while standard, those names don’t give many clues as to what each flow means…
“Authorization Code Grant” is intended to allow a server that has the capacity to securely store secrets to get a long-lived capability for accessing an API. The refresh token is the key here, because it is what is used to grant long-lived access to the API (and is therefore an important thing to keep secret). This is the flow with response_type=code as the request parameter. The way this flow works is:
- The app is given a secret credential called the
client_secretwhen it is created. Users should never see this. - A user wishes to authorize the app, and gives it access to do so at Log in - Asana. The response contains a code in the URL parameter that the browser is redirected to.
- The app uses this code, representing “this user did say it was OK to access their data for this app just now”, and the app’s
client_secretwhich identifies that this is indeed the correct app, to get a long-livedrefresh_token. The user also should never see the refresh token. - Refresh tokens can be used in perpetuity to get access to short-lived access tokens via https://app.asana.com/-/oauth_token. These short-lived tokens are the ones passed in the header to actually grant access.
The above flow presumes that the app can store both its own client_secret and the refresh_token per-user in a secure location that users (and, say, snoopy browser extensions) don’t have access to. If this is not true, it’s recommended to use the “Implicit Grant” flow with response_type=token. That is a simpler (but unfortunately more user-impacting) way to access an API:
- Show the user the same sort of authorization grant via Log in - Asana
- Instead of a code to get access to a long-lived token, a short-lived token is given directly in the redirect via a URL parameter. This token can be used to access the API for an hour.
- After that time expires, repeat this flow to get another short-lived token.
So more or less, the price that’s paid to have a purely in-browser (and therefore inherently hard to secure) application is that the user will explicitly have to keep reauthorizing the app every hour or so. This is basically because OAuth was written with server-to-server authentication in mind, and browser-to-server auth is basically impossible to completely secure, since users and browser extensions have the capability to snoop into any client side storage 
3 Likes
Thank you so much with all the details! It is very clear now 
Hi,
I tried your solution to use this, but I’m getting “The user has revoked authorization.” error,
Do you have thoughts what can it be?
Hi,
i am trying to get refresh tokens for my python app according to the sparse information of the API doc, but i just can’t get it to work. How do you do it? Can we just get a code example?
Another user also suggested using auto refresh, but this doesn’t seem to work…
I don’t have a working example but when I tried it was hard 