0

I have browser only webapp (no server side), which I need to authenticate with an external service using oauth2.

The service authenticates via a "token flow" where it responds to the authentication request with a redirect back to the webapp.

In an example use case here the redirect is detected by running isAuthorized in the main html page.

But this example is too simplistic. In my case, the authentication happens far after the creation of the main index.html page, when the user wants to upload a file.

If the main index.html page is loaded again, the page will refresh and would lose all the information and states that the webapp got to prior to the authentication call, right?

My question is: how do I detect the redirect response in the webapp?

EDIT:

Phil, I'm ignoring the storage of the access token problem, for now.

meagar, with Google Drive, I am successfully using a JavaScript client [library][2].

It "somehow" works, but I want to understand the principles of handling the redirect response.

For Dropbox, I posted my question here. The answer recommends to specify a redirect URI that is different than the typical home/main page, in order to detect if the user is coming back from the app authorization flow.

It also recommends to save some information in the "state" parameter to indicate where the user was before the authorization and restore what the user was doing.

My questions are more fundamental:

  • Assuming that the redirect URI is different than the home/main page, and I can detect that user comes back from the app authorization flow, I still don't understand what the "state" should look like. For example, prior to the authorization, a file was opened and data was read to various variables. How can all this information be encapsulated in a state?

  • Assuming the previous state is captured and returned in the redirect response, should I redirect back to the home/main page after I parsed the access token? Wouldn't this reload the page and reset the application?

My questions are probably basic, due to my web programming inexperience. Can someone refer me to a an explanation on how to handle redirect, restore a state, and resume the application flow after authorization?

Thanks

Avner Moshkovitz
  • 1,138
  • 1
  • 18
  • 35
  • Use some form of local persistence, eg [`localStorage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) – Phil Mar 24 '19 at 01:48
  • You probably want an off-the-shelf client library that understands the OAuth2 implicit grant type, which is specifically for serverless apps like SPAs. – user229044 Mar 24 '19 at 01:49

0 Answers0