3

I have built an API in node.js (w/ Express) which presently supports OAuth 2.0 server-side (explicit) authentication. I would like to allow clients to connect to the app via javascript libraries (client-side implicit authentication).

First, I understand I'll need to enable CORS on my server.

My present understanding of the problem with implicit authentication is the fact that we cannot ask the javascript client to include the 3rd party application's secret in the request, because this would involve coding the secret into the javascript, which would be a security risk (exposing the secret key). Thus, requests made from the javascript client are signed with just the application token (and no secret). In order to guarantee security on the API end, then, we must match the domain serving the javacsript against a registered domain for the 3rd party app it claims to be acting on behalf of.

In other words, it sounds like the process works like this, on the API end:

  1. If an incoming request lacks a "secret" for the 3rd party application, inspect the request headers
  2. If the headers confirm that the request is being made on behalf of a domain name which is registered against this 3rd party app, consider the application verified (and proceed to authenticate the access_token, if provided).

My confusion is this:

Can't request headers be spoofed? How can I be sure that the javascript client making the request is truly residing on the domain which it claims it is?

Community
  • 1
  • 1
Zane Claes
  • 14,732
  • 15
  • 74
  • 131

1 Answers1

3

You should be able to trust the browser to prevent the client from changing the referrer info you find in the header. Most apis will be happy about checking the referrer in this case.

This can be improved by having your server serving the client with a quickly expiring token. The token uses a secret that is not publicly available.

3rd party server asks for token using shared secret to your server
3rd party server serves token to its client
client makes request to your server providing referrer (assured by browser), and token
your server verifies both before replying

Of course, if someone uses a command line tool, a browser extension, or a server, they will have an easier time sending anything they'd like in the request, but they only have the window in which the token will expire, and you could always ban the ip address if you feel the client ip is abusing the service.

Pascal Belloncle
  • 11,184
  • 3
  • 56
  • 56