Asana API Cross-Domain Request Access Control Headers - asana

I'm trying to make a GET request to the Asana API from the browser. Because this is a cross-domain request, the client first sends an OPTIONS request. I'm running into the same issue that was described in this Stack Overflow question a year ago, ASANA API and Access-Control-* headers, where the Asana API doesn't respond with the Access-Control parameters.
I'm wondering whether the new release of the Asana Connect and OAuth2 addresses this problem and I'm simply doing something wrong or if this is still unsupported.

(I work at Asana.) Sorry, looks like this slipped through the cracks.
We currently do not allow Cross-Origin requests. However, we do support JSONP if you use Oauth2 and authenticate with a bearer token. This allows you to make secure requests from a JS client.
Just append opt_jsonp=CALLBACK as a parameter to the request, where CALLBACK is the name of the javascript function you would like to be called back with the response data.

Related

Why OAuth2 implicit flow relies on iframes?

I saw in a few places that Imlicit flow clients use iframe to get a new token silently, without user interaction. Why is that? Why can't the client just send a GET request to the authorization server and retrieve the token from the returned HTTP 301 response?
I saw iframe mentioned in these places:
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas
https://auth0.com/docs/authenticate/login/configure-silent-authentication
I found this post: OAuth2 Implicit Flow - IFrame Refresh Identity. It says that the request sent from iframe carries a cookie with it. Is it not possible to attach such a cookie from a JS request?

Asana API Personal Access Token return 401 (Unauthorized)

When we are accessing Asana API we are using the Asana node client v0.15.0 together with an Tampermonkey script. The Api is responding with an 401 (Unauthorized).
This worked a couple a days ago. I have tried with new Personal Access Tokens but still get the same error.
While fiddling the request I tried to change the auth-header Bearer to be lower cased.
Authorization: Bearer my-personal-access-token ->
Authorization: bearer my-personal-access-token.
This seems to work fine, that indicates that something changed on Asana's side.
The node-asana js client lib does not let me modify the request before sending it to Asana API.
According to Asana API support it is on stackoverflow that I should ask about help on this matter.
EDIT
By some further investigation it seems that when we send in the cookie
auth_token=My auth token we do get the 401 error. But If removing the cookie and reissue the request in fiddler it works fine.
Another note is that now we do not get any custom_fields in the response from e.g https://app.asana.com/api/1.0/tasks/TaskId
I'm a Developer Advocate at Asana. You've caught something that is a known issue and we're working on a fix :) We're rolling out a new version of our API. It's intended to be backwards-compatible with the older implementation, but giving us multiple forms of authentication is one of those cases where we do something different between the two.
For security purposes, we initially implemented this in the new version to not allow requests with multiple forms of authentication, but it turns out that in-browser integrations were affected in precisely the way you're seeing: being logged into Asana, which causes your browser to send your authorization credentials for requests to asana.com automatically, and also authorizing "the right way" for our API with OAuth or a Personal Access Token will end up breaking. We're working on a fix that will allow this to work for the case when both the logged in (cookie) user and the API (access token) user are the same.
If this is an urgent issue and you want to force the old behavior to happen while we roll out the fix in our newer API implementation, you can set a header as described in that link --^ to force your requests on to the old API. Once we get the new API fully deployed and stable, though, we'll deprecate that header, so please be cautious in relying on it for a long-term solution.
Sorry that this has caused issues for you, and thanks for creating this question to let us know!

Oauth : can json have oauth token?

I am simulating an app where json requests are sent at the back. Now i have to add oauth support. I don't know how to move forward. Is the oauth token sent with the same json request?
Yes and no.. an oauth token is sent in the HTTP headers. So, ti's not in the json payload, but it is sent in the same HTTP request.
HOwever, before sending it, you have to accomplish some steps dictated by the standard, to exchange the proper token(s) (access and/or request)
Look at this good tutorial http://hueniverse.com/oauth/guide/ to understand the process more in depth. It even has an interactive part where you can dynamically change the parameters and see the headers and messages you should generate and exchange.

What should the Request URI be when creating an oAuth 2.0 server implementation?

After reading through the oAuth 2.0 draft 23 I have a better understanding of how oAuth works, however one thing I'm not understanding is the request uri:
I've read the section in the draft and it explains the request uri needs to be an absolute url from the client but if I am making an android/iphone app then what must this value be as my app is not a website on a web server?
You can define your own custom URI scheme, say
myapp://oauthcallback
Now you setup your app to listen for this scheme (works on Android and on iOS). When your browser/webview then gets redirected after the authorization request, your app will start and you can handle the query parameters sent with the URI.

Sending POST instead of GET request to Google Contacts API (OAuth2)

Hoping someone can help me out here. I'm using Google Contacts API to fetch a list of contacts. To my understanding, this is done by sending a GET request:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=9999&oauth_token=OATH_TOKEN_HERE
However, this is wildly insecure as any intruder can gain access to the oauth_token in the URL. To combat this, I'm trying to send this as a POST request with my parameters (alt, max-results, oauth_token) as the data. However, I simply get an error that "Authorization is required". I've tried adding "Authorization: OAuth" to my headers but to no avail (get an error that authorization type is not recognized).
Any advice? I need a secure way to send the oauth token to Google such that my security software won't complain about a security hole in my program ...
Thanks!
To answer your question directly, even though security is irrelevant as you are using HTTPS, you cannot POST to Google to get a list of contacts. Google requires you use Get.
The proper formatting for authorization (Because you can still use a Get and not pass the oauth_token as a query string is to use an HTTP Header formatted:
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Using OAuth 2.0 to Access Google APIs

Resources