How do client-side JS libraries for OAuth2 maintain secure authentication?

oauth-2.0 google-oauth hello.js
machinery picture machinery · Jul 13, 2014 · Viewed 21.4k times · Source

I'm new to OAuth2 and there's a problem I've been struggling with and despite research still can't grasp.

The difficulty in having a JS client for OAuth2 is that you can't store the client secret, because it will be widely accessible in the browser. I.e. in this SO question the highest-rated comment says:

"I think tokenSecret and consumerSekret parameters are supposed to be secret! How could they remain secret when downloaded to browser?!!!"

Therefore how do client-side OAuth2 frameworks like hello.js or oauth.io overcome this problem? I know they use a server-side proxy (which knows the ID and secret) for their requests, but the client JS code still needs to somehow tell the proxy who it is. So what prevents anyone from taking the JS code from my website and talking to the proxy on my behalf?

I've also found the Google APIs Client Library for JavaScript. AFAIK there the client code does not pass a secret. Do I understand correctly that they manage this by having a predefined OAuth response address? (so that the tokens are always returned via a predefined HTTP address). So even if somebody tries to impersonate my website by using my ID, the tokens will still get returned to my website?

Maybe I'm confusing a few different topics here, any light on the subject would be appreciated.

Answer

Eugenio Pace picture Eugenio Pace · Jul 13, 2014

There're flows in OAuth2 that don't require a secret (e.g. implicit flow is typically used for JS based clients, SPAs, etc). Not all providers support this flow though, so in those situations you need a server side component that negotiates that for you and then handles the interactions with your front-end/device.

In any case, you need the user to authenticate. The secret authenticates the client (your app), not the user. The return url (or callback) protects the token to be posted somewhere else (only your app).

Samples of these flows are here: https://docs.auth0.com/protocols#5

Update: There's a specific code/token exchange protocol for "public clients" that adds extra security: PKCE (how it works is here: https://auth0.com/docs/protocols#oauth2-pkce-for-public-clients)

Related questions

Using Postman to access OAuth 2.0 Google APIs

I am trying to access Proximity Google API using Postman chrome app. I have followed tutorials on postman and google dev website but I'm still getting 401 error message. What am I doing? Step 1 - Enable Proximity API: In order to …

Read More
OAuth2 and Google API: access token expiration time?

We have a standalone Java application (see "Installed application") which runs periodically and uses Google API (updates some information from customer databases/ldap/...). To access Google APIs we store username and password in configuration file, which is a security risk …

Read More
Why do access tokens expire?

I am just getting started working with Google API and OAuth2. When the client authorizes my app I am given a "refresh token" and a short lived "access token". Now every time the access token expires, I can POST my …

Read More