OAUth 2 Resource Owner Password Grant Type for Javascript client

Question

I am developing a restful web service and a angular based application to access my web services. Since both are developed by me, I have decided to implement OAuth 2 Pasword grant type.( we are implementing our own OAuth server). Am I correct in choosing the correct grant type?

Now I am confused in using the refresh token since it cannot be stored safely in a browser and if it gets stolen, it can be used to generate as many access tokens as the hacker want.

I cannot use a long lived access token for the same reason and it defeats the purpose of access tokens.

If I use short lived access token say 60 min and do not use refresh token, then I might need to ask the user to login every 1 hour which would become annoying for the user.

Is there a better way to handle this or am I missing something in the flow?

I might use Implicit grant as well but I believe the problem is same.

Answer 1

Since you control all 3 entities (client, Resource Server and Authorization Server) it would be OK to use the Resource Owner Password Credentials grant type, although using the Implicit grant type would give you a way of upgrading the authentication method(s) for your users without modifying your client to deal with a new authentication type.

You can return a refresh token and store it in session storage (window.sessionStorage).

Some more good stuff on tokens and alternatives for storage can be found here: https://auth0.com/blog/2014/01/27/ten-things-you-should-know-about-tokens-and-cookies/