CODEWITHSUNDEEP
javajavascriptoauthwidget
Sen
Sen

Reputation: 21

Authenticating javascript widget using oAuth

I'm building a marketing service where in we provide widgets for various companies to host it on their website. These widgets should talk to rest APis in my server directly from the browser using javascript to fetch and post information. the end user may or may not need to be authorised depending on the type of data they access. We need to authenticate the end user using popular social networks such as facebook, twitter etc. In effect our server side api needs to verify two things 1. the call is coming from the respective company's website 2.the call is made by the appropriate end user.

I'm not sure what kind of authentication i have to use here. I think, I cannot use oauth(1.0, 2.0), since it requires the consumer key and secret which cannot be stored securely in javascript. Is there any modified oauth flow which can be used? Has some one solved this problem already. Would be preferable if i someone has a spring based solution on server side.

Upvotes: 2

Views: 1068

Answers (1)

Jon Nylander
Jon Nylander

Reputation: 8963

You cannot verify that the call is coming from the respective company's website. The call will be coming from an end users browser, not a site.

Also, there can be no direct call from the browser to your site (at least not using XMLHTTPRequest, since your widgets and your server are not on the same domain. You can get around this by using JSONP.

You CAN use OAuth2, and the Implicit Grant flow as described in the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-31#section-4.2

Upvotes: 1

Related Questions