After looking at an obscene amount of OAuth2 tutorials, there is one best practice that it states every time: if you have a React application (either Angular or Ember), you should use an implicit stream with it.
I understand that saving client credentials in public javascript will not work. However, my scenario is slightly different:
- I use only Oauth2 to create a single sign-on and token for microservices. I chose it instead of just creating tokens, since the supported third-party libraries are built around the idea of Oauth2.
- My idea is to have a React application and an ASP.NET MVC application that serves javascript and acts as a proxy for API requests. The user is authenticated for the server application (using the Oauth2 authorization code stream).
- Then, if I need to get data from the API, I call my ASP.NET MVC application from React (by sending a simple cookie). An MVC application contains a token without exposing it in the user's browser.
- Obviously, when I call, my MVC application then redirects the request to the necessary API, providing the carrier token.
To better understand why this is what I came up with, here are some requirements I received that may be unusual:
- I really don't need a shared access token, even if it's relatively short.
- . cookie .
, . - , ? , , ?