Reputation: 762
Confusion around oauth2 and where access_token and refresh_token should be stored
Would be great to get some deeper understanding of how to secure this setup:
Node.js / ExpressJS / Oauth2orize REST API that is protected with oauth2, and hosted on
api.domain.comBackbone.js application that is hosted on
domain.comserved via a Node.js / ExpressJS Server
Currently the following happens:
1 - User visits application in browser, provides username and password, these are posted to the wrapper (domain.com/login)
2 - The wrapper augments the username and password with a client_id and client_secret and passes these along with username and password through to api.domain.com/oauth/token. This is done rather than just dealing direct with api in the javascript application in order to keep client_id and client_secret secure. This process is only intended for authing, once a token exists the plan is for the JS client to communicate directly with the api.
3 - api.domain.com/oauth/token checks user and password credentials and issues a refresh_token and access_token if credentials pass, alternatively a 401 is returned
4 - token response including both refresh_token and access_token is returned to the javascript application as the response to the domain.com/login request. Currently the JavaScript client handles setting Authorization headers and obtaining new access_tokens using the refresh_token.
I have a number of questions:
Firstly I'm confused in regard to access_token and refresh_token, I suspect I should not be passing refresh_token to the browser at all - should it be instead be cached on the proxy with refresh performed via the proxy? Or is it fine for the refresh_token to be passed to the Javascript App?
Is it fine for either the access_token or refresh_token be cached in the browser? Eg cookies or localstorage. If so, how is this secure? And if not, wouldn't the user have to reauthenticate any time they refreshed the browser?
If someone could illustrate the 'right' steps to take in terms of handling the refresh_token and access_token in the wrapper server and the JavaScript application, that would be much appreciated.
Upvotes: 1
Views: 220
Answers (0)
Related Questions
- Where to store the refresh token on the Client?
- How to use refresh token in Oauth2.0?
- Need help in understanding refresh tokens, where and how to store them as well as what to store in them
- Storing Oauth access token and refresh tokens
- Access/Refresh token confusion
- Storing O-Auth Tokens
- Node.js passport OAuth 2.0 authentication: where to store access and refresh tokens
- Access Token vs Refresh Token NodeJS
- OAuth2 Refresh Token. How to store it on client-side
- Understanding authentication flow with refresh and access tokens on nodejs app