Post

0 followers Follow
0
Avatar

Authentication "architecture" questions

I am trying to figure out how to architect the authentication part of my Podio integration app.  My app will need to:

  1.  Allow a user to access a particular app ITEM which we will get by sending the URL of the app ITEM to our app and then getting the spaceID and appID and itemID from that URL.  Each user could be trying to access any app ITEM he has access to.

What type of authentication do we need to do for this and how do we store the authentication ids so this user doesn't have to re-authenticate every time.   We will also need to store some info on this user, such that we can do #2 below.

  1.  In this case the trigger will be an inbound email to our mail server- there will be no user intervention.  Our app will detect the inbound email and will take the email and append it as a comment to an existing app item in the same APP that we connected to in #1 above.  

How do we authenticate in this case?

 

I am thinking I need to use "Server Side Flow" Authentication which will give me an access token and refresh token for EACH user (I was originally thinking I could do this one time for all the users within an organization) and I should be able to use this for #1 and #2?

Does this sound right?

Thanks!

Patrick

Patrick Steil Answered

Please sign in to leave a comment.

15 comments

0
Avatar

BTW, in the case of #1 we would want to add a comment to the app ITEM in the name of the user using this funciton.

In the case of #2, the incoming email should not be attributed to any user, but to our app.  In other words, we just need access to add or comment on existing ITEMS in that app the user already gave us access to in #1.

Patrick Steil 0 votes
0
Avatar

Hi Patrick,

Yes, server side authentication will work in both cases if you store the access and refresh tokens for use in case #2.

You can also use app authentication in case #2, which is what we generally recommend for API authentication when the user is not directly involved.

Casper Fabricius 0 votes
0
Avatar

Great thanks Casper... one other question that will help solidfy things for me about Podio authentication... 

What if I only had #2 as my app requirement... where there is never directly a user involved... I just want my web app to be able to take incoming emails and add them to an app as new items... how would I do that authentication?

And how would I handle it if I wanted you to use my app to send in emails into your app (without knowing your orgid, spaceid, beforehand?

Patrick Steil 0 votes
0
Avatar

When no user is directly involved in the interaction with the Podio API, we recommend using app authentication.

However, you can only use app auth for apps that you are the administrator of. While you could ask users to locate and provide your app with the id and access token for their apps, we would not recommend going that way, both for security and usability reasons.

If you want to be able to interact with anyones app, you have to use the server side auth flow. After that, you would have to list the user's orgs, spaces and apps and let the user select the app. Then you would have both the access tokens and ids needed.

A natural starting point for listing orgs and spaces is this method: https://developers.podio.com/doc/organizations/get-organizations-22344. Once you have the space id, you can use this method list the apps in that space: https://developers.podio.com/doc/applications/get-apps-by-space-22478

Casper Fabricius 0 votes
0
Avatar

Ah, this makes sense and I will actually need to use the Server Side flow for one part of my app as well, thanks!

Also, rather than asking the user for the org/space/app he wants to grant us access to, can I just use the URL to their app that they will give me and then use:

Spaces: Get space by URL

https://developers.podio.com/doc/spaces/get-space-by-url-22481

to get the SpaceID so I can then call 

Applications: Get app on space by URL label

https://developers.podio.com/doc/applications/get-app-on-space-by-url-label-477105

to get the AppID that they want me to have access to?

Will that work also?

Thanks!

Patrick Steil 0 votes
0
Avatar

Casper, I have some follow up questions on this... for #2 we want to:

 

  • Take an incoming email to our email server and create an App Item in a random App that we have an appID for.  (It may be one that I don't have any personal access to).

#1.  The Item Api only lists "App Authentication" as a form of auth for that API, no Server Side Flow... so Question #1 - is App Auth my only choice in this case?

#2.  I don't understand who App Auth works... does anyone who has access to (or guesses) my AppID have access to create a new item via the API using App Auth?  That is great if so because it will make our app work fine, but seems like a pretty big security hole?

What am I missing

Thanks!

Patrick Steil 0 votes
0
Avatar

#1 Authenticating as a user (server side flow, password flow) is always possible. We don't list it because it's always available. We show App Authentication for each API operation because it's only available for select ones.

#2 The app token is a secret and should be treated as such. Think of it as a *limited* password to your app (it can only create items and act on items it has permission to change e.g. items it created itself). There's no security issue. The app token is significantly harder to guess than your Podio password (unless you have an extremely long Podio password). Just don't make it public -- in the same way you wouldn't hand your Podio password to a stranger.

Andreas Haugstrup Pedersen 0 votes
0
Avatar

Thanks Andreas!  But the app token is provided by Podio during the App Auth post, correct?  What stops some random company who is using the API from gaining access to create an item in my App without my permission?

Patrick Steil 0 votes
0
Avatar

Oh, I just found this:

You can find the Podio App ID and Podio App Token by going to your app in Podio and clicking the Developer link in the settings dropdown.

I get it... 

Patrick Steil 0 votes
0
Avatar

One last question... if we use server side flow to authenticate?  Can we then query to get that app token that we can then use later for App Authentication?  Or does some user HAVE to give us that token?

Patrick Steil 0 votes