Is there a secure way to implement a client side code snippet that my customers will embed

Question

My company provide services to other websites. I would like to be able to give them a simple snippet of code to embed in their site (like a widget) that will send a query to the service I'm implementing, receive a response and render the results in the page. I'd like to minimize their effort, and only give them the smallest snippet possible. This is also why I'd like to keep it all client side.

The problem is that I'd like to make sure that the call is actually made by my clients and not by anyone else who copied the code from the site. I looked into the web client oauth2 flow, but it seems that it does not enable to authenticate the client. It does say that there's a way to validate the client by comparing the callback URL to a URL that the client registered with my service.

My Questions:

1. Is there any better approach?
2. Is the oauth2 client side approach, including the method described to validate the client, sufficiently secure?
3. If I go for the suggested implementation, what should I pay attention to?

Answer 1

You could use the Client Credentials Grant Authorization as defined in OAuth-2.0. This would allow you assign a separate Client Token and Client Secret for each separate client and they send in the tokens to get an access token and use the access token to request the data.

Or you could just skip the OAuth all together and use SOAP WS-Security with certificates assigned to each client to authorize the web service.