how can server send access token to client safely in google oauth2.0

Question

I'm using google oauth2.0 code authorization flow in my app. my app needs to use google api, so client side needs to set access_token as a Authorization header. my app consists of two part. frontend is React built with create-react-app and backend api server is Koa.

Here is the flow

client get code and send back to server
server exchange code with access_token

the problem is, I have no idea how can api server send to client safely.

if server send access_token to post response body, it could be hijacked
if server send access_token within cookies with httpOnly, react app built with create-react-app couldn't get access_token from cookie because it's CSR.

So I tried to build new jsonwebtoken with access_token and send to client within cookie with no httpOnly options.

I'm struggle into these.
how can server can send back to client some critical information safely?

score 1 · Answer 1 · answered Feb 22 '21 at 15:12

1

This is not related to react. however, the thing is for most deployed apps, you would use ssl, ie, an encrypted connection, ie, the https:// you see in most websites. here is how you can implement it in koa. it is perfectly fine to send accessTokens in headers.

Add SSL to Node.js Koa Server?

answered Feb 22 '21 at 15:12

Lav Hinsu

104
1
6

1

thank you for your answer. I'll take a look – dante Feb 23 '21 at 07:19

how can server send access token to client safely in google oauth2.0

1 Answers1