1

I'm working on a website and I'm not sure to understand something about authentification.

I've got a website with an external API, my website can ask informations to my API to retrieves data like users, articles, ….

In addition, users can creates account on my website and ask an API access too (with some limitations to his profile of course). So my idea is to provide in the user account a key/token to allow it to send/retrieve his data from the API. (Ex. services likes Bugsnag, Google analytics, …)

  • is it the job of the "O-Auth 2"? My website his like a client with a key allowing him to retrieve more data (a better scope basically)
  • If the user add a Javascript script with his API-token, what is protecting the user to have his key/token stole by another user from the DOM?

Thanks!

jidapola
  • 11
  • 2
  • Just trying to understand better what you fear about the user adding javascript. Where are you expecting the user to expose a public javascript that would contain his secret API token? For what purpose you think the user will do it? Can you give an example? – mathk May 11 '16 at 12:51

1 Answers1

0

OAuth 2.0 is not for Authentication.

OpenID Connect is built on OAuth 2.0 and uses JSON Web Tokens which can be Signed (JWS) and Encrypted (JWE)

Community
  • 1
  • 1
jwilleke
  • 10,467
  • 1
  • 30
  • 51