Authentication "architecture" questions

Answered

Comments

15 comments

  • Patrick Steil

    BTW, in the case of #1 we would want to add a comment to the app ITEM in the name of the user using this funciton.

    In the case of #2, the incoming email should not be attributed to any user, but to our app.  In other words, we just need access to add or comment on existing ITEMS in that app the user already gave us access to in #1.

    0
    Comment actions Permalink
  • Casper Fabricius

    Hi Patrick,

    Yes, server side authentication will work in both cases if you store the access and refresh tokens for use in case #2.

    You can also use app authentication in case #2, which is what we generally recommend for API authentication when the user is not directly involved.

    0
    Comment actions Permalink
  • Patrick Steil

    Great thanks Casper... one other question that will help solidfy things for me about Podio authentication... 

    What if I only had #2 as my app requirement... where there is never directly a user involved... I just want my web app to be able to take incoming emails and add them to an app as new items... how would I do that authentication?

    And how would I handle it if I wanted you to use my app to send in emails into your app (without knowing your orgid, spaceid, beforehand?

    0
    Comment actions Permalink
  • Casper Fabricius

    When no user is directly involved in the interaction with the Podio API, we recommend using app authentication.

    However, you can only use app auth for apps that you are the administrator of. While you could ask users to locate and provide your app with the id and access token for their apps, we would not recommend going that way, both for security and usability reasons.

    If you want to be able to interact with anyones app, you have to use the server side auth flow. After that, you would have to list the user's orgs, spaces and apps and let the user select the app. Then you would have both the access tokens and ids needed.

    A natural starting point for listing orgs and spaces is this method: https://developers.podio.com/doc/organizations/get-organizations-22344. Once you have the space id, you can use this method list the apps in that space: https://developers.podio.com/doc/applications/get-apps-by-space-22478

    0
    Comment actions Permalink
  • Patrick Steil

    Ah, this makes sense and I will actually need to use the Server Side flow for one part of my app as well, thanks!

    Also, rather than asking the user for the org/space/app he wants to grant us access to, can I just use the URL to their app that they will give me and then use:

    Spaces: Get space by URL

    https://developers.podio.com/doc/spaces/get-space-by-url-22481

    to get the SpaceID so I can then call 

    Applications: Get app on space by URL label

    https://developers.podio.com/doc/applications/get-app-on-space-by-url-label-477105

    to get the AppID that they want me to have access to?

    Will that work also?

    Thanks!

    0
    Comment actions Permalink
  • Casper Fabricius

    Yep, that should work too.

    0
    Comment actions Permalink
  • Patrick Steil

    Sweet, thanks for your help!

    0
    Comment actions Permalink
  • Patrick Steil

    Casper, I have some follow up questions on this... for #2 we want to:

     

    • Take an incoming email to our email server and create an App Item in a random App that we have an appID for.  (It may be one that I don't have any personal access to).

    #1.  The Item Api only lists "App Authentication" as a form of auth for that API, no Server Side Flow... so Question #1 - is App Auth my only choice in this case?

    #2.  I don't understand who App Auth works... does anyone who has access to (or guesses) my AppID have access to create a new item via the API using App Auth?  That is great if so because it will make our app work fine, but seems like a pretty big security hole?

    What am I missing

    Thanks!

    0
    Comment actions Permalink
  • Andreas Haugstrup Pedersen

    #1 Authenticating as a user (server side flow, password flow) is always possible. We don't list it because it's always available. We show App Authentication for each API operation because it's only available for select ones.

    #2 The app token is a secret and should be treated as such. Think of it as a *limited* password to your app (it can only create items and act on items it has permission to change e.g. items it created itself). There's no security issue. The app token is significantly harder to guess than your Podio password (unless you have an extremely long Podio password). Just don't make it public -- in the same way you wouldn't hand your Podio password to a stranger.

    0
    Comment actions Permalink
  • Patrick Steil

    Thanks Andreas!  But the app token is provided by Podio during the App Auth post, correct?  What stops some random company who is using the API from gaining access to create an item in my App without my permission?

    0
    Comment actions Permalink
  • Patrick Steil

    Oh, I just found this:

    You can find the Podio App ID and Podio App Token by going to your app in Podio and clicking the Developer link in the settings dropdown.

    I get it... 

    0
    Comment actions Permalink
  • Andreas Haugstrup Pedersen

    Exactly :)

    0
    Comment actions Permalink
  • Patrick Steil

    One last question... if we use server side flow to authenticate?  Can we then query to get that app token that we can then use later for App Authentication?  Or does some user HAVE to give us that token?

    0
    Comment actions Permalink
  • Andreas Haugstrup Pedersen

    It's returned along with the app: https://developers.podio.com/doc/applications/get-app-22349 

    0
    Comment actions Permalink
  • Patrick Steil

    Awesome, thanks!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk