How does the client get a http-bearer token?

Question

I have a single-page app which currently opens a tab to a OAuth2 authentication provider. After the user inputs their credentials the server sends a response which will close the tab. The server "knows" that the client is now authenticated by setting a session on it.

However, I actually do not want to use sessions. I want to keep the application stateless. I read that this should be possible by using oauth2 bearer tokens, which the server can validate.

How can the client obtain such a bearer token? When I use an iframe or a tab so the user can input their credentials at the login page of the service provider, my javascript could never pick up a response.

Is it true that OAuth2 with external providers (without sessions) is impossible with the current client-server architecture in the web?

Answer 1

You are probably thinking of using "Json Web Tokens" as opposed to regular "access tokens". JWT are digitally signed artifacts, so the server (your API) can validate them (and its contents).

Single Page Apps typically use the OAuth2 "implicit" flow. The token (JWT) is received directly from the authorization server, and it is something you could use for authentication with your API. Client libraries would extract the JWT from the final response (often in a URL of the form: http://callback/#id_token={the base64 encoded token})

You need to check that the AuthZ Server you are using can actually return JWTs, and you need to include in your servers that host your API, a token handler that can validate them.

Note: you would also need to configure CORS if the web page and the API are on different domains.

Look at this example of this, using .NET WebApi and an Authorization Server that returns JWTs (ours in the example, but would work with anyone).