oauth 2.0 - Javascript App with OAuth2 Authorization Code Flow? -
you can implement "authorization code flow" in situation?
a single page app in www.app.com
a rest backend in www.backend.com
is possible obtain via javascript "authorization code" , pass "backend" "access token"?
in theory, using authorization code flow (or hybrid flow) js/mobile/desktop application possible, , don't need store client credentials (you could, of course, extracting them easy pointless).
contrary popular belief, client authentication not required "public" applications (i.e apps cannot safely store credentials, includes js apps) when using authorization code flow:
if client type confidential or client issued client credentials (or assigned other authentication requirements), client must authenticate authorization server described in section 3.2.1.
https://tools.ietf.org/html/rfc6749#section-4.1.3
f client confidential client, must authenticate token endpoint using authentication method registered client_id, described in section 9.
http://openid.net/specs/openid-connect-core-1_0.html#tokenrequest
in practice, i'm pretty sure authorization/authentication servers enforce client authentication when using authorization code flow , instead recommend using implicit flow public apps.
if authorization server supports scenario, using authorization code flow in js app should easy if use response_mode=query
(or better: response_mode=fragment
suggested @hans), since can use js main page redirect_uri
, use js extract authorization code query string or fragment.
Comments
Post a Comment