2

I'm building a marketing service where in we provide widgets for various companies to host it on their website. These widgets should talk to rest APis in my server directly from the browser using javascript to fetch and post information. the end user may or may not need to be authorised depending on the type of data they access. We need to authenticate the end user using popular social networks such as facebook, twitter etc. In effect our server side api needs to verify two things 1. the call is coming from the respective company's website 2.the call is made by the appropriate end user.

I'm not sure what kind of authentication i have to use here. I think, I cannot use oauth(1.0, 2.0), since it requires the consumer key and secret which cannot be stored securely in javascript. Is there any modified oauth flow which can be used? Has some one solved this problem already. Would be preferable if i someone has a spring based solution on server side.

Sen
  • 21
  • 1
  • We did kind of the same thing, independent of the actual authentication method of the user; see [REST authentication and exposing the API key](http://stackoverflow.com/questions/5472668/rest-authentication-and-exposing-the-api-key/13891103#13891103). That solution is not 100% secure if the user is not authenticated, in which case all requests could be faked by a server side script. But the public data could be scraped from the respective company's websites anyhow. (Though, of course, offering scrapers an API makes their life much easier...) – Arjan Dec 16 '12 at 14:46
  • *"the end user may or may not need to be authorised"* -- authorised, or authenticated? – Arjan Dec 16 '12 at 16:26

1 Answers1

1

You cannot verify that the call is coming from the respective company's website. The call will be coming from an end users browser, not a site.

Also, there can be no direct call from the browser to your site (at least not using XMLHTTPRequest, since your widgets and your server are not on the same domain. You can get around this by using JSONP.

You CAN use OAuth2, and the Implicit Grant flow as described in the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-31#section-4.2

Community
  • 1
  • 1
Jon Nylander
  • 8,743
  • 5
  • 34
  • 45
  • One can ensure the domain is correct by setting tokens using a JavaScript file that uses `if(document.domain == 'expected-domain.com)`, *if* one can be sure it's really a browser that fetches the JavaScript, and if the JavaScript cannot be fetched using XHR/Ajax (hence no support for CORS nor JSONP, *for the JavaScript*). However, ensuring it's a browser probably requires the visitor to get some cookie from the API's server, like by *always* requiring user authentication, which is not feasible in the OP's situation. Do you know if OAuth2's Implicit Grant would work for anonymous visitors? – Arjan Dec 16 '12 at 14:51
  • Ah, reading the question again, *maybe* the user is always authenticated, but not always authorised to use some specific web site. It seems that OAuth Implicit Grant works the other way around: the website needs to be authorised by the user. Or maybe it's about authorisation of certain actions, not certain sites. If the user can use any known website, then the blog post [OAuth and Client-Side Widgets](http://supercollider.dk/2009/01/oauth-and-client-side-widgets-154) might help to ensure a known website is used. – Arjan Dec 16 '12 at 16:24