Best security practices for OAuth 2 authentication in a Javascript application

Question

I've a REST API, with an OAuth 2 authentication mechanism (FOSOAuthServerBundle on a Symfony 3 application).

To get/refresh a token, the URL look like : https://api.example.com/oauth/v2/token?grant_type=[password|refresh_token]&client_id=[client_id]&client_secret=[client_secret]&username=[username]&password=[password]

This works great on server-to-server calls, but can't be applied on Javascript apps.

How can implement API Oauth 2 authentication from a front application ? (JWT is not present on the server).

score 1 · Answer 1 · answered Mar 27 '17 at 13:21

In the context you described, the best option (if not able to change the api) is to create a thin proxy to add another layer of protection to your token.

Given you are probably a javascript developer, you can easily use AWS API Gateway + Lambda to create that without needing a server.

A server dies every time someone implements OAuth in a single page is web-app. Stop the genocide! Use a server side proxy! Act now!

— Alex Bilbie (@alexbilbie) (https://github.com/alexbilbie/alexbilbie.github.com/blob/master/_posts/2014-11-11-oauth-and-javascript.md)

Best security practices for OAuth 2 authentication in a Javascript application

1 Answers1