oauth 2.0 - Javascript App with OAuth2 Authorization Code Flow? -


you can implement "authorization code flow" in situation?

a single page app in www.app.com

a rest backend in www.backend.com

is possible obtain via javascript "authorization code" , pass "backend" "access token"?

in theory, using authorization code flow (or hybrid flow) js/mobile/desktop application possible, , don't need store client credentials (you could, of course, extracting them easy pointless).

contrary popular belief, client authentication not required "public" applications (i.e apps cannot safely store credentials, includes js apps) when using authorization code flow:

if client type confidential or client issued client credentials (or assigned other authentication requirements), client must authenticate authorization server described in section 3.2.1.

https://tools.ietf.org/html/rfc6749#section-4.1.3

f client confidential client, must authenticate token endpoint using authentication method registered client_id, described in section 9.

http://openid.net/specs/openid-connect-core-1_0.html#tokenrequest

in practice, i'm pretty sure authorization/authentication servers enforce client authentication when using authorization code flow , instead recommend using implicit flow public apps.

if authorization server supports scenario, using authorization code flow in js app should easy if use response_mode=query (or better: response_mode=fragment suggested @hans), since can use js main page redirect_uri , use js extract authorization code query string or fragment.


Comments

Popular posts from this blog

java - UnknownEntityTypeException: Unable to locate persister (Hibernate 5.0) -

python - ValueError: empty vocabulary; perhaps the documents only contain stop words -

ubuntu - collect2: fatal error: ld terminated with signal 9 [Killed] -