0

I'm currently working on a web app (using angular js) and I'm a bit stuck because of security. There are a lot of threads and blogs stuff about connecting with third party api from your "own" application (using oauth). But how about connecting with your own api?

Reading about oauth2 i can see that security is not the best in terms of js apps (which can't store secret api keys). Granting implicit access is an option, but isn't it a bit insecure for an app that have - by design - a 100% full api access? If someone steal the token he could, for example, entirely delete the account.

Does some big apps (like fb, tw and so on) use oauth (or some similar protocol) internally for authentication?

Also, I can see an option to put my js app in api's sub folder (as this is the main front end for that api, so it makes sense, right?) and use plain, old php session authentication from php framework. But I'm not sure about that solution as it makes impossible to store api and front end app on different servers, as far as i know.

Anyway, the question is: how to approach secure authentication in main js app which will have full api access?

plunntic iam
  • 964
  • 1
  • 9
  • 18

1 Answers1

0

It looks like this answer makes some sense as a respond to my question.

Also this article is a great point to start - way too long to paste it here.

So to sum up, it looks like server-side proxy for requesting tokens is best way to go, as it can store refresh token in a more secure way (in a http-only cookie).

But I will still wait some time for other answers, because maybe there is some more elegant way to do it.

Community
  • 1
  • 1
plunntic iam
  • 964
  • 1
  • 9
  • 18