0

I would like to create an integration with quire.io, which currently only supports the Oauth2 authorization_code flow with client_secret.
This causes me a problem because my application will need a dashboard so users can configure it.

So far I have been trying to get a token on a backend server (which has the secret) and then send the token to the client in a cookie as a JWT. Is there a way I can securely access the quire api from my frontend?

eyrewiut
  • 5
  • 1

1 Answers1

0

The authorization_code flow without client secret hasn't been implemented yet (different priorities). For now you'll need the extra server to keep the client_secret in a secure place.

cor3000
  • 936
  • 1
  • 6
  • 16
  • Thanks, but do you have any suggestions on how I can use that server? As I wrote in my question, I have been trying to get a token on a backend server, then return the token to the client, is this what you mean? – eyrewiut Dec 10 '20 at 15:59
  • yes that's what I meant: the scenario is described here: https://www.oauth.com/oauth2-servers/server-side-apps/security-considerations/ however they leave it vaguely open how the communication between the SPA and the "companion server" should continue after the the access token was received by the "companion server", i wonder if that's described elsewhere in more detail. – cor3000 Dec 11 '20 at 03:48
  • after reading this lengthy answer https://stackoverflow.com/questions/53678019/laravel-5-6-passport-jwt-httponly-cookie-spa-authentication-for-self-consuming/54011649#54011649 things get quite complicated ... storing the access_token in the browser seems to be discouraged ... not 100% sure what this implies – cor3000 Dec 11 '20 at 04:03