0

Im currently trying to setup the serverside for a React Frontend application. This server interacts with a third party API through an authorization code grant auth flow. When the user clicks on the login button in the frontend it gets redirected to the server which redirects to the login form of the third party. I will then receive the authorization code at the callback route of my server and issue that code to get the access_token for the API resource calls.

Currently, my server redirects back to the React application after successfully retrieving the token by passing that token with the redirect URL to the frontend. My frontend then stores that token in the local storage and uses it whenever a request is made. The requests are send to my serverside and this returns the requested data from that third-party API.

So I guess those are not really good security practises and I want to improve that. But I am struggeling with the question of how and where should I safely store my API key so it can be reused.

My idea was to instead of passing the API access_token directly, I generate a JWT with user information and pass that token in the authorization header for protected routes later on. When my server then verifies that JWT it uses the current api access_token to make the request to the API and return the data.

But where do I store that access_token or should I even store it ? Or maybe it is possible to include that token inside the JWT in an encrypted form ? Also, I want to avoid using a database to store that simple information for now because I am still only prototyping.

Marcel N.
  • 57
  • 2
  • 10

2 Answers2

0
  1. Don't redirect the access_token with the url, is not safe see this POST!
  2. If the token is ONLY used from the server you don't pass it to react app but you can store in server session.
  3. The access_token contain the aud, iss, sub and a token obtained for the 3rd api don't be used for authorizing your api.
  4. Within the access_token the 3rd api generate (and send you) a refresh_token
  5. If you want use the Authentication from 3rd party api, you can check if it release also an id_token, so you can use it for auth your spa to your API and use (server side) the access_token for accessing the 3rd api
Max
  • 6,821
  • 3
  • 43
  • 59
0

The standard solution is for your UI to manage logins separately to calling the API

So your UI should talk DIRECTLY to an Authorization Server - then get an access token with which to call the API

See my post here: https://authguidance.com/2017/09/26/basicspa-oauthworkflow/

Worth understanding which party is issuing tokens and whether it is done in a standard way ..

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • The API I am working with only supports the authorization code grant auth flow. Therefore, I need to have a server which makes the request to receive the API token in the end because only the server can store the client secret securely (which is needed for the request). – Marcel N. Jul 25 '19 at 05:18