cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Community Member

Is Javascript OAuth2 Authentication Wise for Production or Should PHP be Used for Security

Jump to solution

I am not an expert with OAuth2 by any means however I have used the Google API with great success.

I have always used PHP to authenticate to OAuth2 with a registered account that assigns a client_id and client_secret that can easily be encrypted with salt in MySQL. I don't understand how you can pass the following information securely using Javascript without being totally accessible to a hacker.

Parameter

Value

grant_type

refresh_token

client_id

Your client_id

client_secret

Your client_secret

refresh_token

refresh_token from initial access_token request

In all of the examples I have found that access to the API always requires hard coding an access token in at least 1 of three ways:

  1. By URL
  2. Postman
  3. JavaScript

These methods are fine for a testing environment but what about real production?

Is there a way to just pass the username to Canvas Cloud and given a correct password it will return a token with the permissions of an admin or other type of user depending on who logged in?

In the Canvas OAuth2 documentation it warns:

  • Don't embed tokens in web pages.
  • Don't pass tokens or session IDs around in URLs.
  • Properly secure the database or other data store containing the tokens.
  • For web applications, practice proper techniques to avoid session attacks such as cross-site scripting, request forgery, replay attacks, etc.

I have always used a secure web site to authenticate via PHP and handle the storage of the access token using session variables and MySQL table to handle User Roles.  This method does of course require a dedicated intranet environment.

What is the most secure method to handle real production? 

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Instructure
Instructure

Hello larry.robertson@apsva.us‌,

I'm by no means an expert on authentication, but I'll take a stab at answering your question.

When you say you can't figure out a way to pass a token securely using "javascript" I'm going to assume you mean AJAX.

Whether you're using PHP, AJAX, Postman, or Curl (or whatever) the the authentication mechanism (ideally) occurs in the HTTP request headers and is encrypted by TLS.  The content of the request occurs in the body of the HTTP request and is also encrypted by TLS, but not subject to as strict handling as the headers.  For example, the API documentation (where you copied the table from) also says:

Storing a token is in many ways equivalent to storing the user's password, so tokens should be stored and used in a secure manner, including but not limited to:

  • Don't embed tokens in web pages.
  • Don't pass tokens or session IDs around in URLs.
  • Properly secure the database or other data store containing the tokens.
  • For web applications, practice proper techniques to avoid session attacks such as cross-site scripting, request forgery, replay attacks, etc.
  • For native applications, take advantage of user keychain stores and other operating system functionality for securely storing passwords.

To that end, while you can include your token in the URL of the request, you shouldn't.  While you can pass your token in the body of the request, you shouldn't.  If you see examples of that in the wild - it's not best practice.  But passing the token in the HTTP header is perfectly acceptable and secure, or at least as secure as typing a user name and password in a form as it's the same mechanism.

The second half of that equation is what you've addressed - the external thing that you're sending your token(s) to ideally has the appropriate controls in place to keep the tokens secure there as well.

View solution in original post

3 Replies
Highlighted
Community Coach
Community Coach

larry.robertson@apsva.us, greetings! Due to the technical nature of this question, I'm sharing this with the Canvas Developers‌ group in the Community. Hopefully, they can help! 🙂

Kona

Highlighted
Instructure
Instructure

Hello larry.robertson@apsva.us‌,

I'm by no means an expert on authentication, but I'll take a stab at answering your question.

When you say you can't figure out a way to pass a token securely using "javascript" I'm going to assume you mean AJAX.

Whether you're using PHP, AJAX, Postman, or Curl (or whatever) the the authentication mechanism (ideally) occurs in the HTTP request headers and is encrypted by TLS.  The content of the request occurs in the body of the HTTP request and is also encrypted by TLS, but not subject to as strict handling as the headers.  For example, the API documentation (where you copied the table from) also says:

Storing a token is in many ways equivalent to storing the user's password, so tokens should be stored and used in a secure manner, including but not limited to:

  • Don't embed tokens in web pages.
  • Don't pass tokens or session IDs around in URLs.
  • Properly secure the database or other data store containing the tokens.
  • For web applications, practice proper techniques to avoid session attacks such as cross-site scripting, request forgery, replay attacks, etc.
  • For native applications, take advantage of user keychain stores and other operating system functionality for securely storing passwords.

To that end, while you can include your token in the URL of the request, you shouldn't.  While you can pass your token in the body of the request, you shouldn't.  If you see examples of that in the wild - it's not best practice.  But passing the token in the HTTP header is perfectly acceptable and secure, or at least as secure as typing a user name and password in a form as it's the same mechanism.

The second half of that equation is what you've addressed - the external thing that you're sending your token(s) to ideally has the appropriate controls in place to keep the tokens secure there as well.

View solution in original post

Highlighted

Thank you Danny