Hi,
I can’t get the syntax right. How can I get the refresh token using the node API? I have an access token from the OAuth callback though.
Thanks!
cc @Diakoptis
Hi,
I can’t get the syntax right. How can I get the refresh token using the node API? I have an access token from the OAuth callback though.
Thanks!
cc @Diakoptis
I’m facing the same issue. I fetch the bearer token from OAuth callback. but can’t get the refresh token.
Sry guys i’m late.
Check this: PHP API, Oauth2 workflow - #6 by Diakoptis
@Bastien_Siebman i haven’t use node api
Thank you for your response.
I use this Api to fetch refresh token. But it fails everytime. What should i pass in the request body? is there any format?
https://app.asana.com/-/oauth_token?client_id=" + ASANA_CLIENT_ID + "&redirect_uri=http://localhost:3000/auth/asana/callback&response_type=code
Try this:
https:// app.asana.com/-/oauth_token?grant_type=refresh_token’ + ‘&client_id=’ + client_id + ‘&client_secret=’ + client_secret + ‘&refresh_token=’ + refresh_token
I will try when I have the time, thanks a lot
@Diakoptis the given url includes the refresh token while I am stuck without a refresh token at all I don’t understand how to get it. I think I am going to reverse engineer the PHP library that allows it…
FYI to login the library makes a request to
https://app.asana.com/-/oauth_authorize?client_id=XXXX&response_type=token&redirect_uri=XXXX&scope=default&state=XXXX
and as a result I get
access_token=XXXXX&token_type=bearer&expires_in=3600&data=&state=XXX
I am using the Implicit Grant workflow…
According to this page Implicit Grant — OAuthLib 3.2.2 documentation refresh token are not supported with Implicit Workflow, I will have to do a workaround
Hi all, sorry I’m a bit late to the game, but you seem to be getting it sorted
The general issue here is that there are 2 types of OAuth authorization workflows: “Authorization Code Grant” and “Implicit Grant”, and unfortunately while standard, those names don’t give many clues as to what each flow means…
“Authorization Code Grant” is intended to allow a server that has the capacity to securely store secrets to get a long-lived capability for accessing an API. The refresh token is the key here, because it is what is used to grant long-lived access to the API (and is therefore an important thing to keep secret). This is the flow with response_type=code
as the request parameter. The way this flow works is:
client_secret
when it is created. Users should never see this.client_secret
which identifies that this is indeed the correct app, to get a long-lived refresh_token
. The user also should never see the refresh token.The above flow presumes that the app can store both its own client_secret and the refresh_token per-user in a secure location that users (and, say, snoopy browser extensions) don’t have access to. If this is not true, it’s recommended to use the “Implicit Grant” flow with response_type=token
. That is a simpler (but unfortunately more user-impacting) way to access an API:
So more or less, the price that’s paid to have a purely in-browser (and therefore inherently hard to secure) application is that the user will explicitly have to keep reauthorizing the app every hour or so. This is basically because OAuth was written with server-to-server authentication in mind, and browser-to-server auth is basically impossible to completely secure, since users and browser extensions have the capability to snoop into any client side storage
Thank you so much with all the details! It is very clear now
Hi,
I tried your solution to use this, but I’m getting “The user has revoked authorization.” error,
Do you have thoughts what can it be?
Hi,
i am trying to get refresh tokens for my python app according to the sparse information of the API doc, but i just can’t get it to work. How do you do it? Can we just get a code example?
Another user also suggested using auto refresh, but this doesn’t seem to work…
I don’t have a working example but when I tried it was hard