Safe way to consume REST Oauth 2.0 API from javascript - 【StackMirror】|javascript|security|api|rest|oauth-2.0

I'm about to start developing a Business application where I want the frontend to be a single page javascript solution. The backend is provided as a REST API. How can I in a safe way access the REST API from the Javascript frontend?

I've already started developing Oauth 2.0 in my REST API and I already know about the "Implicit Grant Flow" which is the recommended flow for javascript clients. The problem is that this flow should only provide short lived access tokens (maybe 1 hour?).

The users of my system will typically login in the morning and work in the application all day (8 hours) and logout before leaving job, but if the access token lives only for an hour they would have to login again every hour which is not accepatble. How do you solve this?

2012-04-04 06:32
by rgullhaug

One solution I can think of is to instead of return an access token which expires in 1 hour I can return an access_token with a sliding expiration. For every call the client makes to the API the expiration time is renewed with i.e. 20 min. But is this considered safe? I've never seen Oauth servers using sliding expiration - rgullhaug 2012-04-04 08:39

We (Ping Identity) support sliding expiration of access tokens in our OAuth AS implementation - there's nothing OAuth 2.0 spec wise that says you can't do that. For other grant types you'd have a refresh token involved for longer lifetimes - but implicit doesn't work with them.

Not sure if you need a JavaScript OAuth toolkit, but here's one that's probably suitable for your purposes.

2012-04-04 18:20
by Scott T.

Thank you for taking the time to answer my question. I will implement sliding expiration, also thank you very much for the javascript toolkit, I will check it out:) One more question: In the implicit flow we are not providing a client secret (as it cannot be kept secret on the client), but we need to know for sure which client is connecting to our service as different client will have access to different parts of the API. Will checking that the redirecturi is the same as the registered redirecturi be enough to guarantee that we are talking to the correct client - rgullhaug 2012-04-04 19:07

Yes - redirect_uri comparison is the way to go. Like you said, any secret you maintain client side is secret only so long - Scott T. 2012-04-04 20:56