Authenticate client-side app to REST API using CORS with local strategy

Question

I'm working on an app with a pretty similar architecture though the services are .NET Web API rather than Node and we're using DotNetOpenAuth for the OAuth provider. Rather than the hybrid approach you're suggesting we're doing the following:

1. x.com serves up a login page
2. login page POSTs back credentials to x.com
3. server side logic at x.com combines client_id and client_secret with the credentials to submit a token request (resource owner password credentials grant that you've mentioned above) receiving back both a temporary access token and a refresh token
4. the refresh token is encrypted into a cookie issued by x.com
5. both the cookie (with encrypted refresh token) and the temporary access token are then sent to the browser
6. the client app (angular in my case) can now use the access token to hit api.x.com for services (It appears you're well aware of the limitations of CORS... we hacked a version of angular's $resource to facilitate this but it wasn't pretty since we wanted to use all HTTP verbs and support IE9)
7. when the access token expires, the client side app can request a new access token from x.com
8. server-side, x.com decrypts the cookie to get at the refresh token and issues another oauth call for a new access token

This is fairly high-level but hopefully gives you a sense for how to tackle your situation. In my case, and it appears in yours, we didn't want to use session state or a database to store the refresh token but obviously exposing that to the browser introduces security concerns so the encryption of the refresh token is important (among other security considerations) and the use of the cookie eliminates the need for session state or other persistent storage on x.com.

I've built this example using Node and PassportJS to show how to authenticate the users with Facebook or Local Strategy. Both sides are on different domains as you described and it requires CORS enabled.

GitHub: https://github.com/pablodenadai/Corsnection
Live demo: http://corsnection-client.herokuapp.com/

Not an answer running for the prize. Just my 2 cents :)

On my web server,

I do my authentication through a rest call with login/password with basic authentication over https. This call delivers a key to the client (a one page web app).

Then every subsequent REST call is signed with the key. The server checks that the signature is correct and everything still happen in https.

This mechanism is quite used I believe.

I don't see the issue with cross domain. I have a single source anf if I need something from another source, I'd use JSONP.

I use nginx as an https->http forwarder.

Not sure how it competes with an OAuth2 solution.