I am trying to figure out how to architect the authentication part of my Podio integration app. My app will need to:
What type of authentication do we need to do for this and how do we store the authentication ids so this user doesn't have to re-authenticate every time. We will also need to store some info on this user, such that we can do #2 below.
How do we authenticate in this case?
I am thinking I need to use "Server Side Flow" Authentication which will give me an access token and refresh token for EACH user (I was originally thinking I could do this one time for all the users within an organization) and I should be able to use this for #1 and #2?
Does this sound right?
Thanks!
Patrick
Please sign in to leave a comment.
BTW, in the case of #1 we would want to add a comment to the app ITEM in the name of the user using this funciton.
In the case of #2, the incoming email should not be attributed to any user, but to our app. In other words, we just need access to add or comment on existing ITEMS in that app the user already gave us access to in #1.
Hi Patrick,
Yes, server side authentication will work in both cases if you store the access and refresh tokens for use in case #2.
You can also use app authentication in case #2, which is what we generally recommend for API authentication when the user is not directly involved.
Great thanks Casper... one other question that will help solidfy things for me about Podio authentication...
What if I only had #2 as my app requirement... where there is never directly a user involved... I just want my web app to be able to take incoming emails and add them to an app as new items... how would I do that authentication?
And how would I handle it if I wanted you to use my app to send in emails into your app (without knowing your orgid, spaceid, beforehand?
When no user is directly involved in the interaction with the Podio API, we recommend using app authentication.
However, you can only use app auth for apps that you are the administrator of. While you could ask users to locate and provide your app with the id and access token for their apps, we would not recommend going that way, both for security and usability reasons.
If you want to be able to interact with anyones app, you have to use the server side auth flow. After that, you would have to list the user's orgs, spaces and apps and let the user select the app. Then you would have both the access tokens and ids needed.
A natural starting point for listing orgs and spaces is this method: https://developers.podio.com/doc/organizations/get-organizations-22344. Once you have the space id, you can use this method list the apps in that space: https://developers.podio.com/doc/applications/get-apps-by-space-22478
Ah, this makes sense and I will actually need to use the Server Side flow for one part of my app as well, thanks!
Also, rather than asking the user for the org/space/app he wants to grant us access to, can I just use the URL to their app that they will give me and then use:
Spaces: Get space by URL
https://developers.podio.com/doc/spaces/get-space-by-url-22481
to get the SpaceID so I can then call
Applications: Get app on space by URL label
https://developers.podio.com/doc/applications/get-app-on-space-by-url-label-477105
to get the AppID that they want me to have access to?
Will that work also?
Thanks!
Yep, that should work too.
Sweet, thanks for your help!
Casper, I have some follow up questions on this... for #2 we want to:
#1. The Item Api only lists "App Authentication" as a form of auth for that API, no Server Side Flow... so Question #1 - is App Auth my only choice in this case?
#2. I don't understand who App Auth works... does anyone who has access to (or guesses) my AppID have access to create a new item via the API using App Auth? That is great if so because it will make our app work fine, but seems like a pretty big security hole?
What am I missing
Thanks!
#1 Authenticating as a user (server side flow, password flow) is always possible. We don't list it because it's always available. We show App Authentication for each API operation because it's only available for select ones.
#2 The app token is a secret and should be treated as such. Think of it as a *limited* password to your app (it can only create items and act on items it has permission to change e.g. items it created itself). There's no security issue. The app token is significantly harder to guess than your Podio password (unless you have an extremely long Podio password). Just don't make it public -- in the same way you wouldn't hand your Podio password to a stranger.
Thanks Andreas! But the app token is provided by Podio during the App Auth post, correct? What stops some random company who is using the API from gaining access to create an item in my App without my permission?
Oh, I just found this:
You can find the Podio App ID and Podio App Token by going to your app in Podio and clicking the Developer link in the settings dropdown.
I get it...
Exactly :)
One last question... if we use server side flow to authenticate? Can we then query to get that app token that we can then use later for App Authentication? Or does some user HAVE to give us that token?
It's returned along with the app: https://developers.podio.com/doc/applications/get-app-22349
Awesome, thanks!