Hello! I’m been working on a project on a client side with Asana API, since Oauth 2.0 authentication has to change due the new security rules and the node-asana library hasn’t been updated to allow the token exchange flow from client side. I’ve try to develop the Authorization Code Grant from the client, so far the authorization endpoint is working perfect, I reach the endpoint and get the Code to be exchanged but I can’t make the exchange endpoint work due a CORS preflight validation. I want to know if this could have a workarround (as we have with have with the previous access_token workflow) to allow authentication without having a server side.
For what it’s worth, I have the exact same problem. The endpoint https://app.asana.com/-/oauth_token doesn’t respond with a Access-Control-Allow-Origin header to a OPTIONS request.
Thanks for adding that information. I don’t know if they are going to enable that kind of authorization due the new Flow. But since the node-asana examples are not working anymore with the new apps created I think they have to update something (this or remove the chance from authenticate onlu from client side)
I raised this with Asana support team and got the following reply:
Our API Team stated that it is currently not possible implement the CORS headers for the endpoint and unfortunately, there are not plans to make this available. They stated that it would be best to use a lightweight server and that a possible solution would be using the Free Tier of Google Functions.
I’ll track your request for this functionality. I’m sad that we are not currently allowing authorization code grant client side, and the more people I have reaching out about it, the more I can convince people to change it.