1

I have a set of REST APIs that are secured by oauth 2. I need to access them from an Android app and a webapp.

Accessing the APIs from android app seems pretty straight forward for me to implement. What I am unable to understand here is - what is the correct and secure way to access the same APIs from a webapp?

I am thinking, I shouldn't be making any direct calls to the APIs from the browser, using some JS library, for it seems to me that it would be pretty insecure. Instead, I should keep it all traditional, by submitting requests to the web server and then letting it make the REST API call. This would be similar to the method of making REST calls from Android.

Am I correct in my thinking/approach?

Rishabh
  • 380
  • 4
  • 14

1 Answers1

2

Accessing your API should be the same no matter where the request is coming from. You just use an Authorization header with bearer scheme and stick the JWT token in there.

The way you get the JWT token is different though, as I explain in this answer. It all depends on how much you trust the client application.

If your client is a web application that queries your API from the server side, you can use the code authorization grant and get an access and refresh token for your API.

If you want to access your API from a JavaScript application, you have no way to hide app-keys or refresh tokens, so you should use the implicit grant.

If you know how to store secrets securely on your Android client, you could use the resource owner password grant.

The code authorization grant is definitively the most secure as it's much harder to compromise a server application than an application that runs on your machine.

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93
  • Thank you for your response! Also, I'll look out for a couple of days for any other responses before I mark this as THE answer to my question. – Rishabh Oct 12 '15 at 18:55
  • No worries, let me know if I can clarify the answer in any way. – MvdD Oct 12 '15 at 22:43