2

I'm building a marketing service where in we provide widgets for various companies to host it on their website. These widgets should talk to rest APis in my server directly from the browser using javascript to fetch and post information. the end user may or may not need to be authorised depending on the type of data they access. We need to authenticate the end user using popular social networks such as facebook, twitter etc. In effect our server side api needs to verify two things 1. the call is coming from the respective company's website 2.the call is made by the appropriate end user.

I'm not sure what kind of authentication i have to use here. I think, I cannot use oauth(1.0, 2.0), since it requires the consumer key and secret which cannot be stored securely in javascript. Is there any modified oauth flow which can be used? Has some one solved this problem already. Would be preferable if i someone has a spring based solution on server side.

Improve this question
2
  • We did kind of the same thing, independent of the actual authentication method of the user; see REST authentication and exposing the API key. That solution is not 100% secure if the user is not authenticated, in which case all requests could be faked by a server side script. But the public data could be scraped from the respective company's websites anyhow. (Though, of course, offering scrapers an API makes their life much easier...) Commented Dec 16, 2012 at 14:46
  • "the end user may or may not need to be authorised" -- authorised, or authenticated? Commented Dec 16, 2012 at 16:26

1 Answer 1

Reset to default
1

You cannot verify that the call is coming from the respective company's website. The call will be coming from an end users browser, not a site.

Also, there can be no direct call from the browser to your site (at least not using XMLHTTPRequest, since your widgets and your server are not on the same domain. You can get around this by using JSONP.

You CAN use OAuth2, and the Implicit Grant flow as described in the specification here: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-31#section-4.2

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

One can ensure the domain is correct by setting tokens using a JavaScript file that uses if(document.domain == 'expected-domain.com), if one can be sure it's really a browser that fetches the JavaScript, and if the JavaScript cannot be fetched using XHR/Ajax (hence no support for CORS nor JSONP, for the JavaScript). However, ensuring it's a browser probably requires the visitor to get some cookie from the API's server, like by always requiring user authentication, which is not feasible in the OP's situation. Do you know if OAuth2's Implicit Grant would work for anonymous visitors?
Ah, reading the question again, maybe the user is always authenticated, but not always authorised to use some specific web site. It seems that OAuth Implicit Grant works the other way around: the website needs to be authorised by the user. Or maybe it's about authorisation of certain actions, not certain sites. If the user can use any known website, then the blog post OAuth and Client-Side Widgets might help to ensure a known website is used.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.