How to get authorization code with node-asana (use response_type=code) instead of access token?

authorization
#1

There’s an integration on the python back end that uses authorization code, exchange it with access_token and refresh_token, saves in database and does some more things. It works.

I have to write the front end part. I think that use node-asana is the good idea for that. I have clientId, redirectUrl, I can run client.authorize using PopupFlow or redirect flow, and it also works. After authentication I receive accessToken, and I can do a number of things. For example, I can run client.users.me() method and receive some user data.

The issue is I don’t need nether accessToken nor user data. The only thing I need is authorization code. That’s the code that I get when request https://app.asana.com/-/oauth_authorize?client_id=…&response_type=code&redirect_uri=…&scope=default url. Is it possible to use node-asana somehow to receive this code?

#2

Hey @Alexey_Kuznetsov,

This is an interesting request - I don’t think we have this built into our node client library, since we typically expect that the server is most interested in the response here. Typically, the way this would be built is that the redirect_uri would point to a url handled by your server (the python part here), which would grab the code and exchange it for the credentials which you store on your server (and the client never needs them.)

You can look at our example here: https://github.com/Asana/node-asana/blob/master/examples/oauth/webserver/oauth_webserver.js#L62 to see what this looks like if you’re running a node.js server that wants to do the authorization flow.

The reasons this doesn’t really fit in a client-side setup like this are:

  1. You’ll be storing credentials for you app in the browser - there’s not a foolproof way to store these types of things in a web browser,
  2. The redirect_url has to point to somewhere that’s listening for a request from the client (i.e. when you authorize, our servers send a redirect to the user’s browser to your redirect_uri - essentially, we tell the client to call your server now with a code that your server can exchange for longer-lived credentials). The client will (in most cases) faithfully call the server at this address, and if there is no server, it will show an error.

So for this use case, where you need to be able to access Asana’s API client-side, you basically have these options:

  • Proxy requests through your server to your client - your client asks your server to ask our API for data, and your server makes the API call and passes it back. This is the most secure and user-friendly way.
  • Use the implicit grant flow, which provides a 1-hour-long token - this is also more secure, as it doesn’t involved long-lived credentials in the client, but requires users to keep granting permission every hour.
  • Use a browser extension or other option that understands that particular redirects are intended to be handled specially by the browser without actually redirecting to a server - for instance https://developer.chrome.com/apps/identity#method-launchWebAuthFlow describes how this is done for a Chrome browser extension.

Hope this helps!

#3

Thanks for the answer!
I used the code from popup-flow of node-asana as an example and was able to write my own implementation that calls oauth_authorize?response_type=code.

1 Like