0

I am building a project with both a web app built with React and Next.js and a native app built with React Native. I am looking for a second opinion on the best practice to handle Authorization for the Spotify API that will work on both platforms.

  1. Option 1: Use the Authorization Code Flow with a proxy server to protect the client secret.

    • Native app passes authorization code to proxy server on heroku using GET request
    • Proxy server passes code, redirect_uri, grant_type, client_id, and client_secret to Spotify API
    • Proxy server passes back access_token, refresh_token, and expires_in to either web app or native app

  2. Option 2: Use the Implicit Grant flow and accept that there is no refresh_token. I would like to avoid this option if possible because the app will be making many requests and it would be more convenient to operate with a refresh_token.

My main concern is keeping the client_secret safe since my understanding is that React and React Native do not make requests server-side. Is it safe to pass back the access_token and refresh_token for a proxy?

Jordan
  • 41
  • 9
  • 1
    I've earlier covered this in depth here. Please check if this answers the question: https://stackoverflow.com/a/54011649/1235935 – Saptarshi Basu Dec 20 '19 at 16:23
  • @SaptarshiBasu Thank you for the reference, I think it helps point me in the right direction, but I still want to confirm one thing: since you mentioned that JWT tokens are not secret, the contents of which are not secret, does that mean it is safe to pass the tokens from a proxy server-side only app back to my client web app through a GET request? – Jordan Dec 21 '19 at 20:38
  • 1
    Actually there is a spec JWE that allows secrets to be passed in JWT. But that's no mandatory because usually JWT is used to carry username, expiry timestamp, etc. which are not secrets. We've to ensure that nobody other than the user gets access to the access token / refresh token JWT, otherwise the attacker can impersonate the user. That's why all the security measures to prevent CSRF & XSS. – Saptarshi Basu Dec 22 '19 at 01:43

0 Answers0