5

I understand the basics of oauth, and I've used it in application before, but never like this.

I've got an oauth2 based api I wrote, and I'm writing a javascript application (in backbone.js), and I want to access the api with it.

My problem is that I need to obtain an access token for the js app. Normally I'd request a token with something like example.com/oauth2/token?client_id=<client-id>&client_secret=<client-secret>&....

If my client secret is supposed to be, well, secret, should I be putting it in my application js?

What's the proper way to do oauth2 over javascript?

My users/app is also the "source" for oauth, so I'm not going to be doing any kind of 3rd party user authentication, as they'll already be logged into the site.

Improve this question

1 Answer 1

Reset to default
3

I think you should obtain the access token from the server. This way, your client secret is kept secret on the server. In other words, your server will serve as a proxy for the OAuth exchange.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

This is what my initial thinking was. Have a generic endpoint on the server that I can request, and spit out a new access token. Right now, the server is the user, but that might change.
here is how facebook apps handles it on the javascript side: developers.facebook.com/docs/authentication search for "Client-side Flow"
In my case, there's no user login dialog. My application is the user client.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.