Can I use the Oauth2 authorization code stream for a SPA (React) application if I have a server-side proxy?

After looking at an obscene amount of OAuth2 tutorials, there is one best practice that it states every time: if you have a React application (either Angular or Ember), you should use an implicit stream with it.

I understand that saving client credentials in public javascript will not work. However, my scenario is slightly different:

  • I use only Oauth2 to create a single sign-on and token for microservices. I chose it instead of just creating tokens, since the supported third-party libraries are built around the idea of ​​Oauth2.
  • My idea is to have a React application and an ASP.NET MVC application that serves javascript and acts as a proxy for API requests. The user is authenticated for the server application (using the Oauth2 authorization code stream).
  • Then, if I need to get data from the API, I call my ASP.NET MVC application from React (by sending a simple cookie). An MVC application contains a token without exposing it in the user's browser.
  • Obviously, when I call, my MVC application then redirects the request to the necessary API, providing the carrier token.

To better understand why this is what I came up with, here are some requirements I received that may be unusual:

  • I really don't need a shared access token, even if it's relatively short.
  • . cookie .

, . - , ? , , ?

+4
1

(, ), . .

( ). , , .

, , . , .

+4

Source: https://habr.com/ru/post/1672256/


All Articles