[ Upcoming ] Workspace-specific app and API blocking

Summary

  • Currently, if an Asana workspace admin blocks an OAuth app or personal access tokens, it affects users across all workspaces they belong to—even workspaces where access is not restricted.

  • We’re introducing an update to refine this, allowing users to use apps and personal access tokens in workspaces without such restrictions.

Who is affected

  • Asana OAuth app/integration developers working across multiple workspaces.
  • Users in Asana workspaces where an admin has blocked app or API usage, including new members of those workspaces.

Enhancements

OAuth Consent

In the past, users faced a blocking screen or an approval request flow when trying to authorize an app in a workspace where it was blocked.

Starting in April, users will be able to authorize an app in all workspaces where they are not blocked. The consent screen will indicate where the app is blocked and provide a link to request an app approval.

A future update, users will need to explicitly choose a workspace when authorizing an app. More details will be shared later this year. In the meantime, this enhancement will give Asana users broader access to the API and apps.

Personal Access Tokens

Users will soon be able to generate personal access tokens which access unblocked workspaces, while still being restricted in workspaces where access is blocked.

In a future iteration, you’ll be able to see a list of workspaces each token can access. In the meantime, you should not assume that a personal access token can access all of a user’s workspaces. You’ll receive an error when trying to access blocked workspaces. You can use the /workspaces endpoint to see a list of workspaces the token has access to. Blocked workspaces will not appear in the list.

GET /workspaces

{
  "data": [
    {
      "gid": "1579",
      "name": "ACME, Inc",
      "resource_type": "workspace"
    },
    {
      "gid": "1592",
      "name": "Apollo Enterprises",
      "resource_type": "workspace"
    }
  ]
}

Timeline

Week of April 15: Rollout of the updated OAuth consent experience and the ability to create personal access tokens for unblocked workspaces.

June 2024: The Asana developer console will be updated to display accessible workspaces per personal access token.

Why We’re Making This Change

This update addresses feedback from our multi-workspaces users, developers, and admins who have expressed the need for more granular control over app and API usage. It’s a milestone on our journey to authorize apps and generate tokens for specific workspaces!

We hope this will be a welcome change. Please let me know if you have any questions!

3 Likes

Very much so! Really looking forward to this to be able to use an app that I’ve been blocked from. Thanks so much!!!

Larry

Yes, this is an excellent enhancement!

Am I correct to assume that as a developer I don’t have to change anything?

That’s my belief; we’ll see if that gets confirmed!

Right! It’s just that you won’t have access to all the user’s workspaces in this scenario. We’re trying to set expectations with the user on that screen to avoid confusion about that.

2 Likes

@John_Baldo This says above it’ll be rolled out the week of April 15 but it’s not implemented yet, is it? Do you have an updated timeline? Thanks!

Hi @Phil_Seeman , that was fully rolled out in April and the developer console enhancements to show personal access token details are in the process of rolling out now.

1 Like

Really? Then I must be missing something conceptually here… When I go to authorize Flowsana for my Asana user who is authorized in a bunch of domains, I get this screen - there’s no mention of or opportunity to select which one to authenticate to. What am I missing?


EDIT:

Oh wait, I just went back and re-read your above post:

Starting in April, users will be able to authorize an app in all workspaces where they are not blocked.
A future update, users will need to explicitly choose a workspace when authorizing an app.

I didn’t realize it was in two parts; I was looking for the “future” part now!

1 Like

Hey @Phil_Seeman , Yes, sorry. This release allows someone who is blocked from using an app in one workspace / domain to continue using the app in other workspaces where they are not blocked. Previously, this wasn’t possible. The screenshot in the original post is the new experience for this scenario.

2 Likes