Oauth 2 flow for AngularJS application

Question

Let's say I have a REST API and a frontend that is separate in AngularJS.

How do I use Oauth 2 to login this user without redirecting and asking to "authorize application" etc?

Basically what I want to do is:

1. Display a login form where user enters username + password
2. Send request to API to authenticate and if successful get a token
3. Send user to the application view and use the token for all other API calls required until it expires

But in every Oauth 2 flow example I look at there is the redirect URL part with authorization of the application and send the user somewhere else. But my AngularJS app is the application itself.

I do not intend to use Google/Facebook or any other provider. The user database and the oauth server is hosted on the API itself.

So what is the proper flow in this scenario?

Answer 1

With OAuth, the flow requires that you login through specific providers' pages. For example, with SSO (say, Facebook), you'll login through the native Facebook login. This is done for security reasons (purposely not elaborating on that, because I don't know enough about the security implications).

There's a library called Auth0 that we've had some success with. It uses OAuth. Basically, it provides two implementations: a redirect (like you're talking about), or "popup" mode, which basically handles authentication in either A) a popup in the background (in the case of email/password authentication) or B) a popup in the foreground (in the case of, say, Facebook or Instagram login).

I think OAuth is useful for cases of SSO, or if using a provider like Auth0 (who manages your user database, and thus requires authentication through Auth0).

However, if you don't want to use an outside provider like Auth0, and you're not using SSO, I don't see why you would want to attempt to implement OAuth flow in your app to begin with.

Usually this can just be handled by storing a JWT in your own database alongside each user and authenticating that way.