AnsweredAssumed Answered

Is Javascript OAuth2 Authentication Wise for Production or Should PHP be Used for Security

Question asked by Larry Robertson on Jun 3, 2019
Latest reply on Jun 4, 2019 by Larry Robertson

I am not an expert with OAuth2 by any means however I have used the Google API with great success.

 

I have always used PHP to authenticate to OAuth2 with a registered account that assigns a client_id and client_secret that can easily be encrypted with salt in MySQL. I don't understand how you can pass the following information securely using Javascript without being totally accessible to a hacker.

 

Parameter

Value

grant_type

refresh_token

client_id

Your client_id

client_secret

Your client_secret

refresh_token

refresh_token from initial access_token request

 

In all of the examples I have found that access to the API always requires hard coding an access token in at least 1 of three ways:

  1. By URL
  2. Postman
  3. JavaScript

These methods are fine for a testing environment but what about real production?

Is there a way to just pass the username to Canvas Cloud and given a correct password it will return a token with the permissions of an admin or other type of user depending on who logged in?

 

In the Canvas OAuth2 documentation it warns:

  • Don't embed tokens in web pages.
  • Don't pass tokens or session IDs around in URLs.
  • Properly secure the database or other data store containing the tokens.
  • For web applications, practice proper techniques to avoid session attacks such as cross-site scripting, request forgery, replay attacks, etc.

 

I have always used a secure web site to authenticate via PHP and handle the storage of the access token using session variables and MySQL table to handle User Roles.  This method does of course require a dedicated intranet environment.

 

What is the most secure method to handle real production? 

Outcomes