5

I'm about to start developing a Business application where I want the frontend to be a single page javascript solution. The backend is provided as a REST API. How can I in a safe way access the REST API from the Javascript frontend?

I've already started developing Oauth 2.0 in my REST API and I already know about the "Implicit Grant Flow" which is the recommended flow for javascript clients. The problem is that this flow should only provide short lived access tokens (maybe 1 hour?).

The users of my system will typically login in the morning and work in the application all day (8 hours) and logout before leaving job, but if the access token lives only for an hour they would have to login again every hour which is not accepatble. How do you solve this?

Improve this question
1
  • 1
    One solution I can think of is to instead of return an access token which expires in 1 hour I can return an access_token with a sliding expiration. For every call the client makes to the API the expiration time is renewed with i.e. 20 min. But is this considered safe? I've never seen Oauth servers using sliding expiration? Commented Apr 4, 2012 at 8:39

1 Answer 1

Reset to default
5

We (Ping Identity) support sliding expiration of access tokens in our OAuth AS implementation - there's nothing OAuth 2.0 spec wise that says you can't do that. For other grant types you'd have a refresh token involved for longer lifetimes - but implicit doesn't work with them.

Not sure if you need a JavaScript OAuth toolkit, but here's one that's probably suitable for your purposes.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for taking the time to answer my question. I will implement sliding expiration, also thank you very much for the javascript toolkit, I will check it out:) One more question: In the implicit flow we are not providing a client secret (as it cannot be kept secret on the client), but we need to know for sure which client is connecting to our service as different client will have access to different parts of the API. Will checking that the redirect_uri is the same as the registered redirect_uri be enough to guarantee that we are talking to the correct client?
Yes - redirect_uri comparison is the way to go. Like you said, any secret you maintain client side is secret only so long.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.