Reputation: 1559
I have a single page app (call it Collector
) on my server and would like my users to have a customizable list of links like :
facebook.com/get_my_latest_posts_about_cats
github.com/get_my_comments_for_repo_LinuxKernel
anynews.com/get_my_soccer_news
They can add new/remove links into their link dialog box every time.
So what I am trying to do is to relieve the user of the pain to login every time in order to get data from the facebook,github,news ...
server.
Of course, the first time the user clicks on any of his links he will receive the respective login page of the link (e.g. facebook.com/get_my_latest_posts_about_cats
-> facebook.com/login
) but afterwards I'll use their access token along with refresh token stored in my Collector database
so that they won't have to write their pass and username every next time.
My question :
(Please tell me if at least it makes any sense, so that I don't get any false ideas about how this works)
Collector
web app because I'm doing this for the first time, and the whole authentication process
is also new for me, so which one actually would fit my needs ?client_secret
in my Collector
database.Upvotes: 0
Views: 58
Reputation: 8431
For single page apps, it's usually the best to use implicit flow. This way, the access token gets just to the frontend part - stays in the browser, it doesn't get to your Collector backend, because the access token is located in the hash part (behind "#") of the redirect URL from an OAuth2 server. Then you can store the access token in browser's SessionStorage to survive reloads. But if you use this flow, you must use HTTPS, otherwise it's not secure (the access token is transferred through an insecure channel).
Maybe you will want to get new tokens before current ones expire. It's usually done be using iframes, but it depends on a concrete OAuth2 server implementation. You can check http://openid.net/specs/openid-connect-session-1_0.html for OpenId Connect (which is an OAuth2 extension).
Upvotes: 1