2

In my web application, which happens to be a SPA (Single Page Application), I have OpenID and OAuth2.0 clients for user authentication using third party service. Namely, Google (OpenID), Yahoo (OpenID), Windows Live (OAuth2) and Facebook (OAuth2).

Now, I have setup a token endpoint which exchange user credentials for a bearer token. The goal here is to replace Cookies by an Authorization header set in all requests of the SPA. For this, I'm using the OAuth2.0 client password authentication strategy with a 'password' grant_type to authenticate the user based on its credentials (oauth2orize + passport-oauth2-client-password).

I am wondering :

  • How can I keep using the token bearer authentication method for users authentified using a 3rd party service ?

  • Is there anything in the OAuth2.0 spec which handles this case ?

  • What is the common practice for this kind of implementation ?

Tug
  • 189
  • 10
  • 1
    As a quick fix, I decided to generate a bearer token on the authentication callback, serialize the token object and set it as a hash parameter when redirecting to the SPA url. I don't see any other good solution at the moment. – Tug Sep 20 '14 at 23:08
  • That's the same thing I did. Plus, after my page is loaded with the token in the hash, I store it in the localStorage and remove the hash to make the url look more aesthetic. – mati.o Jan 01 '17 at 16:05

0 Answers0