We are starting a project that will use some of the Asana Api’s and I wanted to ask the experts a question. We will use oAuth to access the Apis, but I’m a bit uncertain how I go about creating a confidential application that users do NOT need to accept. Example, I am building a UI that needs to display list of projects a person is in and as such I need to act on behalf of this user and in reality all users. Where do I deploy such an app? I understand the concepts of client secret/token/authorization, just want to know…
Can I create such an app to be used globally by this proxied API user to access projects across our organization?
Can I define a role that this proxied user/app can execute…example, I only want to allow READ/GET operations and LIMIT all Puts/posts/verbs…is this done using scopes in the confidential app?
Finally, what is the most appropriate API to call to obtain all projects a user is involved in? I will know their email, so I was hoping to pass in the email_id and get list of all projects that they are involved in.
Thank you for your assistance.
- Lastly, is their an SDK or sample in GitHub that help us with scaffolding such an app in node or c#, etc?
It sounds like you might not have seen the documentation written for folks in your position. If that’s the case, I think you should start here to answer a number of your questions:
For ubiquitous access, Service Accounts and Service Account Tokens that come with the Enterprise plan offer the best access, but require an Enterprise plan:
You can see the other alternatives in the documentation (first link) which will not necessarily provide access so widely.
I don’t believe “scopes” as you describe them are available.
The rest of your answers will be found in the link above, mostly in the beginning sections.
Hope that helps,
Thank you for your feedback. We are Enterprise customer and will follow up on the service account token plan.
Just a follow up…Having read the scopes piece of oAuth/OpenID, I’m still uncertain how such a service account can have HTTP verb access limitation defined? is there a concept of having a specific service account Example: Service account A has access to all verbs (puts/deletes, etc), while another Service account B for example would have limited verb access (like GET/POST) to a subset of the catalogued Apis in Asana?
Thank you for your assistance.
I’ll have to defer to the experts on this: @Phil_Seeman, @Frederic_Malenfant, others?
I am almost sure that you can’t limit access by “verb”.
Your oauth token can do everything available in the api, that is authorized in the normal UI.
I think you need to do a proxy on your side, that may limit access to asana api, and filter if a request should be done or not.
@Frederic_Malenfant is correct; as listed in the API documentation, there are a few specific scopes for very rare use cases but in general use, the API doesn’t provide any scopes to restrict data access.
Thank you Frederic for your assistance. It would truly be wonderful if the API team allowed customization of resource access during service account creation. Our security team would have preferred creation of a limited account with scopes, but perhaps this is something that can be looked into by Asana engineers.
Yes, I would follow up with your Asana Enterprise rep on that request. They should be able to follow up on that internally.