1

I have an Angular App as a front-end client and a Rails back-end API. I'd like to access Asana's API and and would like to authorise it via the Angular App, so I'm following their OAuth process called Implicit Grant Flow.

After the authorisation process I get a access_token but when trying to use this code on Postman (in order to test the API call I'll implement on the back-end) I get an 401, not authorised code.

Is there a way I could get the user to authorise via the Angular and then exchange this access_token for a permanent to token/code to make subsequent calls on the backend?

If not, do I need to get the user to authorise this every time I need to access the API?

EDIT

Here's the screenshot of my attempts to use the access_token with Postman:

enter image description here

NOTE I've tried the above on Postman minutes after I had authorised the the app, so I'd imagine the token would be valid still.

WagnerMatosUK
  • 4,309
  • 7
  • 56
  • 95

1 Answers1

1

I'd guess that the access_token expires before you get around to testing it. Access tokens are meant to be short-lived (Asana access tokens currently expire after one hour). If this is not the case could you please post the request you are making with Postman (with secrets redacted)?

If you want longer-lived authorizations, you should use the authorization code grant to get a refresh token instead of an access token. You can then exchange the refresh token for temporary access tokens when you need to access the API (the Asana client libraries handle this implicitly).

Sean Wentzel
  • 165
  • 5
  • I guess there are two problems: 1) I got something wrong hence the error on Postman and 2) in any case, I'd like to get a permanent token so it can be used repeatedly (refreshing it whenever needed). If I understood correctly, I cannot get a `Authorization Code Grant` unless I'm doing the authentication on the backend so I was hoping there would be a method that would allow me to exchange the `access_token` for a permanent one? – WagnerMatosUK Aug 31 '16 at 14:58
  • 1
    Firstly the problem with your Postman request: Asana takes `Authorization: Bearer somecode` as a header rather than a query param. If you want to pass an access token as a query param you can pass it in the `access_token` parameter (like `https://app.asana.com/...?access_token=somecode`). I'll discuss 2) in a separate comment. – Sean Wentzel Aug 31 '16 at 16:54
  • 1
    There is no way to exchange access tokens for refresh tokens, because access tokens are intended to be a less secure credential than refresh tokens. I should also add that subsequent redirects to the implicit grant endpoint, once the user has authorized your app, shouldn't require the user to click through again. This is the correct way to handle auth on the client: you can't use refresh tokens without your Asana API client secret, which you don't want on your client. If you need long-lived tokens on the server, then you should use an authorization code grant on the backend. – Sean Wentzel Aug 31 '16 at 17:01