4

There is Authorization OAuth2 Server to get access+refresh token. As far as i understand, access token can be stored on client-side, because it has short live circle. But can refresh token be stored there? According information that I've read, there is no secure way to do it(here)

So, I have to implement separate server-side service, just to store refresh token.

Am I right? Is it only one possible way to store refresh token?

P.S. Client-side: angularJS

Community
  • 1
  • 1
anastsiacrs
  • 159
  • 4
  • 18
  • If you have a single page you can store it in memory, if you have multiple pages use localStorage. Just make sure that your server only accepts request from trusted domains or trusted `client_Id`'s. – A1rPun Feb 19 '16 at 14:03
  • @A1rPun Is localStorage totally secured? And actually client_id is [public information](https://aaronparecki.com/2012/07/29/2/oauth2-simplified) – anastsiacrs Feb 19 '16 at 14:13
  • [LINK](https://aaronparecki.com/2012/07/29/2/oauth2-simplified): After registering your app, you will receive a client ID and a client secret. The client ID is considered public information, and is used to build login URLs, or included in Javascript source code on a page. The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as Javascript or native apps, then the secret is not used. – anastsiacrs Feb 19 '16 at 14:30
  • 1
    I stumbled accross this article recently : http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/ – Troy Bryant Feb 19 '16 at 14:34

1 Answers1

1

Yes you are right. If you cannot authenticate with the Authorisation server (i.e. pass client ID and secret) then you will only get a short-lived access token.

As Angular code is on the client it would be insecure for it to hold your client secret. Therefore you can not pass your client secret to the Auth server, so you can not authenticate.

Also your server code would not just store a token, it would be expected to host an endpoint which would accept an auth code and then call the Auth server with that code (and your client credentials) to get a token and refresh token.

The auth code would be supplied to your server endpoint via a call from the auth server via an http redirect following successful user login and user granting access to your app.

iandayman
  • 4,357
  • 31
  • 38