We have a regular web application with cookie based auth and now we want to split frontend and backend (api) in order to have third-party public API. So our backend will be on one domain and frontend on another one.
For authorization we would like to switch for OAuth 2 with JWT. In this case our frontend app will have to use access_token instead of cookie session and it brings a big old question:
How To Remain Logged In - The Infamous "Remember Me" Checkbox (part II from Form based authentication for websites)
From OAuth2 point of view our frontend application going to use something between Resource Owner Password Credentials Grant and Implicit Grant. It is closer to Password Credentials Grant since we still going to use usual login form and won't redirect user to another domain in order to sign in. At the same time it is closer to Implicit Grant since it's all going to be browser-only & JavaScript based when access_token
will be saved in browser.
The RFC says the authorization server MUST NOT issue a refresh token if you use Implicit Grant and my question is if it's still valid in this use case when you don't really use a 3-d party OAuth but your own api? Instinctively I feel that having refresh_token
in browser is a security hole and would like to confirm it with you guys, but that refresh_token
seems to be the only way to have persistent login working the same way as we had with cookies.
**UPD** after @FlorentMorselli comment:
The OpenID specs still do not answer my question if I can use refresh_token
with browser only application
- Google says they provide
refresh_token
only foraccess_type=offline
- OpenID Connect Core says you cannot use Refresh Token with Implicit Flow
- OpenID Connect Core says nothing about using
refresh_token
with Hybrid Flow - There's only one place where it says something promising about
refresh_token
with Hybrid Flow, but nothing precise
UPD2 thanks to @reallifelolcat
It looks like OpenID Connect does not explicitly support Resource Owner Password Credentials Grant, meaning you have to redirect user to OpenID Connect server to perform login. Do you know if there is another way to authenticate with user credentials over OAuth 2.0?
I believe splitting api and frontend is getting more common these days and I'd appreciate it if you share how you solve this Persistent Login issue and if you drop it completely and force user to re-login every X weeks.
Thanks!