OAuth Client not publicly accessible?

Hi,

I am Gazmend Redzepi, a Software Engineer for timebro.de, currently working on an integration from our native app to your Asana platform. I am following the developers API documentation, but it seems that I have either missed, or not understood correctly how to work with your OAuth client.

I will explain the situation literally:

  1. Jack created an OAuth Client, but now, only Jack is allowed to connect to it, when I try to Connect to OAuth Client that Jack created, I get a unauthorized error response;

  2. If I go to create my own OAuth Client, now I can connect to it, but Jack cant.

Did I miss a setup part where I have to “allow” or “enable” public access to our OAuth Client ?

Hi @Gazmend_Redzepi and welcome to the forum,

It’s not entirely clear what you mean by “Jack” and “I”; I’m going to assume that refers to two different Asana accounts, i.e. Asana users.

If so, then the behavior you’re seeing is correct; that is, when you authenticate to Asana via OAuth, you’re authenticating to one particular Asana account. The OAuth token you get allows you to access that authenticated user’s Asana account (and everything in it) via the API; it does not provide access to any other users’ accounts.

Does that info help?

Hi @Phil_Seeman , thank you for your response; You understood correctly, Jack and I are two different accounts in Asana, two different users;

But I am confused still, I am reading this Asana , this part of asana documentation says:

At its core, OAuth is a mechanism for applications to access the Asana API on behalf of a user without the application having access to the username and password. Instead, apps get a token which they can use with their own application credentials to make API calls.

When I read “on behalf of a user” you are telling me that I can only make a 3rd Party integration for only THAT user who created the OAuth client ? :slight_smile:

Thank you for your patience with me,
Best regards,
Gazmend

I’ll try to explain with different words and names. Alice is a developer, she works at IT, and created an app her coworkers can use to clean up their Asana.

Alice creates an Asana app in the developer console, aka an OAuth client. She uses the client id and secret in her code, and publishes her app.

Now Bob is connecting to the company website and going through an Asana Connect. The authentication is relying on Alice’s app, so that Alice’s code can talk to Asana on behalf of Bob.

Does that make more sense? That does not explain your issue though, but maybe with this explanation you can re-explain?

@Phil_Seeman is the explanation correct?

Yes, @Bastien_Siebman, that’s a good description that perhaps @Gazmend_Redzepi can build on for his question.

Just to elucidate some more on Bastien’s scenario: when Alice builds her app, she includes code to allow a user of her app to go through OAuth authentication to authenticate to a particular Asana user account (that’s the “Asana Connect” part of Bastien’s text).

When Bob then uses her app, he goes through that authentication and authenticates to his Asana account. At that point, when Alice’s code makes Asana API calls, the app is accessing Bob’s Asana account and data.

Does that help?

1 Like

Thank you for your explanation good people, and your patience with me; However, what I am asking is, how do I make “Alice’s” OAuth Client public? Because right now, the client that Alice created, is giving me an unathorized status response whenever ANYONE but Alice tries to access it.

she includes code to allow a user of her app to go through OAuth authentication to authenticate to a particular Asana user account (that’s the “Asana Connect” part of Bastien’s text).

Is this code that you are talking about in this part of the documentation Asana or is it something else ? :slight_smile: I would like to understand where did Alice read the required documentation so that all of her colleagues could use her OAuth client to authenticate themselves.

Thank you kindly,
Best regards,
Gazmend

Hi good people, just adding this image to properly show the error that I am facing directly:

So the error_description says “The client_id and client_secret must authorize the app.”

I am trying to find out where do I let this OAuth Client to authorize the app, or why am I getting it for anyone except for the Asana user who created the OAuth Client.

Thank you for your time once again, I appreciate your efforts to help me :smiley:

Hi @Bastien_Siebman , @Phil_Seeman , did you get the chance to read my latest posts?

The first step of OAuth is to send the user to the authorize URL. Once there, the user will authorize the app. How do you currently initiate the OAuth process?

@Bastien_Siebman - We have our own app at timebro.de; We initiate the OAuth process by sending the user to the Authorize URL, and we can see all of the steps working just as intended and described in the documentation. However, we cannot figure out Why we cannot connect to the OAuth Client ourselves once we entered our credentials; On the response upon authentication, we get an error with description “The client_id and client_secret must authorize the app.”.

  1. Client logs in
  2. Clicks Connect to Asana
  3. Login form from Asana shows up
  4. Enter credentials, authenticate successfully
  5. On first attempt to get a Token, we get the error “The client_id and client_secret must authorize the app.”

When the user is back from the authorize url, they are sent to your authorized url with a code in the URL. Then your code needs to exchange that code for an authorization token. Is that what you do?

Yes @Bastien_Siebman , that is exactly what I do, and that is exactly when the error is happening, where I get a response saying “the client_id and client_secret must authorize the app”. Any hints what might be going wrong?

I think I had the same error a few days ago and the reason was that I was not using the correct client id and secret that was used for authentication.

Alright @Bastien_Siebman , thank you for your time, I will re-try everything anew with a new OAuth Client and will pay attention to client_id and secret; If that turns out to be the case, I will come back and mark your answer as the solution :slight_smile: thank you.

1 Like