I am currently developing a multi-platform application (clients will include embedded mobile applications and the original AJAX Javascript client) focused on the REST API. Since the API may be open to third parties in the future, I am considering using OAuth 2.0 for authentication and authorization using the API.
I am trying to deal with some security issues with this arrangement, especially regarding the javascript client. I donβt want this client to act like a third-party client, with all the connection of redirects and pop-ups, etc., which seems to focus on most of the OAuth documentation. Since it will be delivered from my own domain, I think the server side of the webapp can be the actual client and keep client secrets and update tokens, while javascript retrieves new auth tokens from the server as needed.
To put it in a step-by-step form:
- The user logs in using a non-ajax html form, generating authentication tokens and updates that are stored on the server side. This sets an HTTP-only login session cookie.
- The javascript client code is sent to the user's browser after logging in.
- The javascript client makes a request to a resource that is part of its own application (and not part of the REST api) to get a token. The session cookie ensures that the client is authentic and the referent will also be verified. Auth identifier is returned.
- The javascript client validates the token using the REST API.
- Now the client can use the token to request requests to the REST API before its expiration.
- If the authentication token expires or the page is closed and reopened, the javascript client may request a new token. The webapp server part takes care of updating the token and sends a new token while the login session cookie remains valid.
Does this make sense, or will it leave massive holes in the system? In particular, is it inconvenient to have a resource on the Internet that issues authentication tokens based on the cookie set?
source share