At the moment I have a javascript client with a button doing an ajax call to a service, and I'd like to add a token-based security using OAuth. I am trying to implement an Oauth2 authorization server as well. I'm using DotNetOpenAuth and I've been checking the samples.
The issue is that I don't see how to call for a token from the javascript client without refreshing the page, because there's always a redirection. I've tried these two options, but they don't convince me:
Open a new window from javascript (window.open) and catch the token once it is in the window.location of the popup window. That avoids the postback, but it is a bit stilted.
Implement a service into the authorization server that returns the token via JSON. I think this could work but it wouldn't follow the Oauth2 specification, because there would be no redirection.
Is there a better option to ask for a token avoiding to refresh the whole page?
Any comment would be appreciate. Thanks. David
