Can I use an OAuth token from backend in my frontend?
https://stackoverflow.com//questions/22057552
-
23-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I just went through the description of Google's DrEdit sample app in Java (source code). It shows how to write a simple Drive app and handles authorisation in the backend.
It's a good example but the biggest drawback I've noticed is the fact that the user is required to log in again when he wants to pick a file from his Drive (despite previously authorising the app to do that). It's inconvenient so I'd like to avoid that. Picking a file is done using the Google Picker API which is only available in Javascript.
Hence, I would like to share the authorisation information between my backend and frontend - can I just pass the OAuth token that I have in the backend to the frontend? If so, is there a recommended way of doing it?
Solution
Yes it's perfectly OK. Snooping at the client as described by @tydotg isn't really an issue since the access token is just as snoopable, regardless of whether it was generated at the client or at the server.
The only real challenge is making sure that you are only downloading a token to the correctly authenticated user. There are a number of schemes you could use to do this, but for example:-
- User authenticates to your app using server based OAuth.
- Server stores the user id or email in a session variable
- When your client requests a token, you use the session user to generate a token
OTHER TIPS
Use cross identity to achieve this:
I'm sure you can (I'm not too familiar with Java, but in Rails, for example, it would be easy), however the reason you wouldn't want to do this is because of security.
Anything on the server side is pretty secure and not accessible to the client. Anything on the client-side, however, is fair game. I could inspect the element and if I knew what I was looking for I could grab the OAuth token.
