So I’ve gone ahead and created a nice OAuth flow and it’s working, but I did not specify scope and now my security team is telling me I need to do so. I looked at the scopes in the documentation, but I’m a bit confused as to how to use them. Is there a way to limit the scope to allow task creation only?
There is currently no scope in the Asana API. You get access to everything, read and write.
Well there are a few OAuth scopes available that allow you to only access a user’s email address or profile, but those seem basically worthless to me. If you’re using the Asana API, you’re going to be wanting to access actual task, project, etc. data, and for that you have to use the
default scope which as @Bastien_Siebman says gives you access to everything n the user’s account that you authenticate to.
YES, thank you Phil, I also was like, what are these scopes??? What good are they? I thought I was reading them wrong, but thank you for confirming. So here’s an issue though. I’m afraid my security team will reject my app if I use the default scope (they’ve said as much). Can I use one of the other scopes and still create tasks? (I guess I can try it and see). That way, I’m checking the box of not using the default scope, but can still do everything I need.
I don’t know the answer as I’ve never experimented with them but I would be 99.5% sure the answer is NO.
We all agree that apps using OAuth represent a security threat because we developers get full access to the account…