-1

I am buiding an app using svelteKit and django rest framework. SvelteKit is responsible for rendering HTML page(SSR) and django rest framework is responsible for providing restful API.

Both App server and browser will fetch my restful API. I want protect my restful api by add Authorization. After reading some documents, I plan to use OAuth2(django-oauth2-tookit) and I draw the following chart:

My auth flow chart

But I was confused by following problems:

  • I can use Authorization Code grant flow auth APP server, but how about the browser?
  • Can I separate the auth server and restful server, If so, how auth server protect restful server?
xiayulu
  • 1

1 Answers1

0

I can use Authorization Code grant flow auth APP server, but how about the browser?

In fact the authorization code based flow is the one that is suitable & meant for web client. While using this flow server will redirect the intermediate code (oauth code) to the redirect uri passed in the request so client can capture that code and make another request to exchange it with access_token.

Can I separate the auth server and restful server, If so, how auth server protect restful server? Blockquote

Yes, you can. The resource server should talk to auth server to get the authentication/token object verified.

b.s
  • 2,409
  • 2
  • 16
  • 26