Oleg
Oleg

Reputation: 1559

What Oauth2 flow to choose for this particular situation?

I have a single page app (call it Collector) on my server and would like my users to have a customizable list of links like :

facebook.com/get_my_latest_posts_about_cats github.com/get_my_comments_for_repo_LinuxKernel anynews.com/get_my_soccer_news

They can add new/remove links into their link dialog box every time.

So what I am trying to do is to relieve the user of the pain to login every time in order to get data from the facebook,github,news ... server.

Of course, the first time the user clicks on any of his links he will receive the respective login page of the link (e.g. facebook.com/get_my_latest_posts_about_cats -> facebook.com/login) but afterwards I'll use their access token along with refresh token stored in my Collector database so that they won't have to write their pass and username every next time.

My question :

(Please tell me if at least it makes any sense, so that I don't get any false ideas about how this works)

Upvotes: 0

Views: 58

Answers (1)

Ján Halaša
Ján Halaša

Reputation: 8431

For single page apps, it's usually the best to use implicit flow. This way, the access token gets just to the frontend part - stays in the browser, it doesn't get to your Collector backend, because the access token is located in the hash part (behind "#") of the redirect URL from an OAuth2 server. Then you can store the access token in browser's SessionStorage to survive reloads. But if you use this flow, you must use HTTPS, otherwise it's not secure (the access token is transferred through an insecure channel).

Maybe you will want to get new tokens before current ones expire. It's usually done be using iframes, but it depends on a concrete OAuth2 server implementation. You can check http://openid.net/specs/openid-connect-session-1_0.html for OpenId Connect (which is an OAuth2 extension).

Upvotes: 1

Related Questions