How can I use stunnel to test my Asana API calls

Question

Any idea how I can test

I have a GWT app that retrieves data from the Asana API.

I've not been able to test locally since the Deprecation of OAuth 2.0 ‘http’ Redirects.

The Asana Docs (https://asana.com/developers/feed/oauth-http-redirect-deprecation) say I can use stunnel: "For non-production or personal use, you may wish to check out stunnel, which can act as a proxy to receive an encrypted connection, decrypt it, and forward it on to your application"

My stunnel config so far is:

[asana_test]
accept  = 9999
connect = 8888
cert = stunnel.pem

And my app is configured with:

"auth_uri":"https://app.asana.com/-/oauth_authorize",
"token_uri":"https://app.asana.com/-/oauth_token",
"redirect_uris":["https://127.0.0.1:9999/asanaoauth2callback"],
"javascript_origins":["http://127.0.0.1:8888"]

but with that I get a 500 error on the url https://127.0.0.1:9999/asanaoauth2callback?code=xxxx:

HTTP ERROR 500
Problem accessing /asanaoauth2callback. Reason:
Could not verify SSL certificate for URL: https://app.asana.com/-/oauth_token

Answer 1

I'm a Developer Advocate here at Asana. I can maybe tell you the answer to your question, but first, it's worth highlighting that there should be an easier way:

tl;dr: At one point, due to a proactive security fix, we become somewhat too restrictive with our redirect URI checking. We've since relaxed a bit for testing/development apps: if and only if your app's redirect url begins with "http://localhost", we should allow you to use that url without using https for the redirect.

---

Alternatively, the stunnel route is intended to provide a workaround for folks who choose to go that route. My suspicion is that the certificate that is being used by stunnel is self-signed, so when your app tries to redirect to that location, whatever is being redirected (probably a browser) doesn't like the certificate - it's the equivalent of the "This site is unsafe" big red lock thing that happens when you go to any website that has a certificate that didn't come from a Certificate Authority.

(what is slightly odd to me is that it seems to be saying that it couldn't verify the certificate for asana.com - which is indeed issued by a CA. That's a separate issue and harder to debug, because it should be absolutely fine to try to connect to asana.com with https)