security - OAuth2 in-browser-app use Authorization grant instead of implicit -


we have public api protect using oauth2.

i've been reading on specification/documentation, still have questions implicit grant.

i understand implicit grant used client-only in-browser-(javascript)-apps. less secure , such possibilities should restricted (e.g. read-only access). also, no refresh tokens should issued, , token should not long-lived.

but stopping creator of in-browser-(js)-app use authz grant instead of implicit grant? creator of such app there benefit can more permissions (destructive) stuff, , refresh-token can use new access_tokens when expire. latter ideal because won't have bug users login every often.

this of course problematic because refresh_token, client_id , client_secret compromised way.

so question revolves around this: how can make sure in-browser-only-apps use restricted implicit grant?

before being able connect our api using oauth, client/developer must register client_id, callback_url, client_secret. it's possible me (as api owner) revoke permission if detect kind of behaviour. means i'll have check manually, , periodically?

is there better way?

one option rely on user-agent header client web app cannot influence (it browser sending requests!)

you may consider denying issuing token if cliend_id , client_secrets used in combination user-agent coming browser. may allow client_id in combination browser's user-agent not issue refresh_token , use shorter expiration access_token in such case. (not sure if still technically conform oidc)


Comments

Post a Comment

Popular posts from this blog

searchKeyword not working in AngularJS filter -

i writing app using angularjs on front end. want search through table word/field; 1 search box everything. according article here: http://hello-angularjs.appspot.com/searchtable can use filter: searchkeyword this. this code, , not working expected. <label>search: <input ng-model="searchkeyword"></label> <table ng-repeat="post in posts | orderby: sort | filter: searchkeyword"> <tr> <td> {{index(post)}} </td> <td> {{post.title}} </td> <td> {{post.author}} </td> <td> {{post.content}} </td> <td> {{post.date | date: "d/m/yyyy"}} </td> </tr> </table> what should do? thank you try this: controller $scope.posts = [ {title:'title one', author:'author one', content: 'content one'}, {title:'title two', author:'author two', content: 'cont...
Read more

sequelize.js - Sequelize: sort by enum cases -

i have model ( article ) field (the name type ) of type enum('source', 'translated') , return 1 article ordered type field. source articles should returned before translated articles. like: article.findone(order: [ { type: [ 'source', 'translated' ] } ]); unfortunately there appears no built-in solution sorting enums. instead have sort by case , couldn't find documentation on how sequelize. what conventional approach here? sorting case hard in sequelize, sort field (the second answer in linked post) should possible: order: sequelize.fn('field', sequelize.col('type'), 'source', 'translated') it's supported mysql far know though
Read more

user interface - how to replace an ongoing process of image capture from another process call over the same ImageLabel in python's GUI TKinter -

i trying use following code create interactive gui changes color-space(hsv, rbg, grayscale etc) on event of button click. display opencv video in tkinter using multiprocessing being new python having problems multiprocessing , attempts on making gui change it's color space on button clicks hangs entire system. on it's implementation highly appreciated. thankyou. below code: import cv2 pil import image,imagetk import tkinter tk import numpy np multiprocessing import process , queue def quit_it(root,process): root.destroy() process.terminate() def black_andwhite(root,process): process.terminate p=process(target=capture_image, args=(5,queue, )) p.start() root.after(0, func=lambda: update_all(root, image_label, queue)) def update_image(image_label, queue): frame = queue.get() = image.fromarray(frame) b = imagetk.photoimage(image=a) image_label.configure(image=b) image_label._image_cache = b root.update() def update_all(root...
Read more