[ Upcoming ] Workspace-specific app and API blocking

John_Baldo · 26 March 2024 20:15

Summary

Currently, if an Asana workspace admin blocks an OAuth app or personal access tokens, it affects users across all workspaces they belong to—even workspaces where access is not restricted.
We’re introducing an update to refine this, allowing users to use apps and personal access tokens in workspaces without such restrictions.

Who is affected

Asana OAuth app/integration developers working across multiple workspaces.
Users in Asana workspaces where an admin has blocked app or API usage, including new members of those workspaces.

Enhancements

OAuth Consent

In the past, users faced a blocking screen or an approval request flow when trying to authorize an app in a workspace where it was blocked.

Starting in April, users will be able to authorize an app in all workspaces where they are not blocked. The consent screen will indicate where the app is blocked and provide a link to request an app approval.

A future update, users will need to explicitly choose a workspace when authorizing an app. More details will be shared later this year. In the meantime, this enhancement will give Asana users broader access to the API and apps.

Personal Access Tokens

Users will soon be able to generate personal access tokens which access unblocked workspaces, while still being restricted in workspaces where access is blocked.

In a future iteration, you’ll be able to see a list of workspaces each token can access. In the meantime, you should not assume that a personal access token can access all of a user’s workspaces. You’ll receive an error when trying to access blocked workspaces. You can use the /workspaces endpoint to see a list of workspaces the token has access to. Blocked workspaces will not appear in the list.

GET /workspaces

{
  "data": [
    {
      "gid": "1579",
      "name": "ACME, Inc",
      "resource_type": "workspace"
    },
    {
      "gid": "1592",
      "name": "Apollo Enterprises",
      "resource_type": "workspace"
    }
  ]
}

Timeline

Week of April 15: Rollout of the updated OAuth consent experience and the ability to create personal access tokens for unblocked workspaces.

June 2024: The Asana developer console will be updated to display accessible workspaces per personal access token.

Why We’re Making This Change

This update addresses feedback from our multi-workspaces users, developers, and admins who have expressed the need for more granular control over app and API usage. It’s a milestone on our journey to authorize apps and generate tokens for specific workspaces!

We hope this will be a welcome change. Please let me know if you have any questions!

lpb · 26 March 2024 21:20

Very much so! Really looking forward to this to be able to use an app that I’ve been blocked from. Thanks so much!!!

Larry

Phil_Seeman · 27 March 2024 01:42

Yes, this is an excellent enhancement!

Bastien_Siebman · 27 March 2024 06:08

Am I correct to assume that as a developer I don’t have to change anything?

Phil_Seeman · 27 March 2024 13:39

That’s my belief; we’ll see if that gets confirmed!

John_Baldo · 27 March 2024 17:31

Right! It’s just that you won’t have access to all the user’s workspaces in this scenario. We’re trying to set expectations with the user on that screen to avoid confusion about that.

Phil_Seeman · 24 June 2024 13:54

@John_Baldo This says above it’ll be rolled out the week of April 15 but it’s not implemented yet, is it? Do you have an updated timeline? Thanks!

John_Baldo · 27 June 2024 21:34

Hi @Phil_Seeman , that was fully rolled out in April and the developer console enhancements to show personal access token details are in the process of rolling out now.

Phil_Seeman · 27 June 2024 23:43

Really? Then I must be missing something conceptually here… When I go to authorize Flowsana for my Asana user who is authorized in a bunch of domains, I get this screen - there’s no mention of or opportunity to select which one to authenticate to. What am I missing?

EDIT:

Oh wait, I just went back and re-read your above post:

Starting in April, users will be able to authorize an app in all workspaces where they are not blocked.
A future update, users will need to explicitly choose a workspace when authorizing an app.

I didn’t realize it was in two parts; I was looking for the “future” part now!

John_Baldo · 28 June 2024 17:01

Hey @Phil_Seeman , Yes, sorry. This release allows someone who is blocked from using an app in one workspace / domain to continue using the app in other workspaces where they are not blocked. Previously, this wasn’t possible. The screenshot in the original post is the new experience for this scenario.

Topic		Replies	Views
Changes are coming to Asana’s API Authorization Platform News	0	950	17 April 2023
Asana’s API authorization framework will be changing later this year, and your app may be affected, What is the exact date for this change roll out and impact Developers & API feature	5	1087	30 May 2025
Authorize integration for specific workspaces Developers & API	4	831	30 May 2025
More granular OAuth 2.0/Personal Access Tokens and Asana? Developers & API	8	2711	30 May 2025
API not working in some cases Developers & API	4	1779	30 May 2025