Databases
StackOverflow2013
Postsdbo
POAuthenticate client-side app to REST API using CORS with local strategy
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POAuthenticate client-side app to REST API using CORS with local strategy
    primarykey
    data
    text
    <h2>The Problem:</h2> <p>Serving a secure API to a client side app using only a local authentication strategy. <br> <em>The red arrows are part of the knowledge gap.</em></p> <p><img src="https://i.stack.imgur.com/7MMrm.png" alt="enter image description here"></p> <h2>Context:</h2> <p>That is --- <code>client.example.com</code> is making a <strong>POST</strong> to <code>api.example.com/login</code> where on success <code>client.example.com</code> can gain access to a <strong>GET</strong> service like <code>api.example.com/secret</code>.</p> <h2>An idea!</h2> <p>Implimentation of OAuth 2.0 with hybrid grant type sitting in front of API. </p> <p><strong><em>Why hybrid?</em></strong> </p> <ul> <li><p>It wouldn't be an <code>Implicit Grant Flow</code> aka <code>Client-Side Web Applications Flow</code> because there is no redirection to API server too grant access token. (i.e.) <em>"Is it ok for so-and-so to access your data?"</em></p></li> <li><p>It wouldn't be a <code>Resource Owner Password Flow</code> because a <em>Client ID and Client Secret</em> are passed along with the request so it's assumed the client app is server-side.</p></li> </ul> <p><em>OK... so what about a little bit of both?</em></p> <p>What if we used a CRSF token on page load of client-side app, and POST it with user credentials too OAuth 2.0 authentication endpoint to exchange for access token? You would authenticate each subsequent request with the access token and CRSF token after a successful login.</p> <p><strong>A good Node.js OAuth 2.0 library I found:</strong></p> <p><a href="https://github.com/ammmir/node-oauth2-provider" rel="noreferrer">https://github.com/ammmir/node-oauth2-provider</a></p> <h2>Help Me!</h2> <p>I can not find a working example of an authentication measure that solves this problem! Point me in the right direction? </p> <blockquote> <p>Ultimately, the goal here is too authenticate a client side app to a REST api using CORS with a local strategy --- i.e. username &amp; password --- even if the convention above isn't possible.</p> </blockquote> <h2>To Accommodate Bounty:</h2> <p><em>This is a client side app, so let's stay trendy.</em> </p> <p>I'm looking for a working example using the <strong>Node.js</strong> OAuth 2.0 seed above for the API/Auth server and a front end framework like <strong>Angular.js</strong> or <strong>Backbone.js</strong> to make requests.</p> <p><em>The example should match the context described above.</em></p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USDan Kanze
    1. USDan Kanze
    plurals
    1. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POAuthenticate client-side app to REST API using CORS with local strategy
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POAuthenticate client-side app to REST API using CORS with local strategy
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POAuthenticate client-side app to REST API using CORS with local strategy
      1. This table or related slice is empty.
      1. VTUpMod
    1. COmind if I ask whats on the box? if its windows server 2008r2+ I was wondering if a locked down service account might be able handle the local auth issue?
      singulars
      1. POAuthenticate client-side app to REST API using CORS with local strategy
      1. USBryan Devaney
    2. CO@BryanDevaney Think web dev stack. CentOS 6.4 VM with NGINX server proxy passing node.js server to api.example.com in one doc root, static client.example.com to another. Using `forever` to daemonize/nohup. You could also just use two different VM's to make it easier :D ... whatever works!
      singulars
      1. POAuthenticate client-side app to REST API using CORS with local strategy
      1. USDan Kanze
    3. COSo write an entire Node server that implements OAuth 2.0 with an Angular/ Backbone front-end for 100 reputation? Good luck.
      singulars
      1. POAuthenticate client-side app to REST API using CORS with local strategy
      1. USDropped.on.Caprica
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload