Safe way to consume REST Oauth 2.0 API from javascript

Question

I'm about to start developing a Business application where I want the frontend to be a single page javascript solution. The backend is provided as a REST API. How can I in a safe way access the REST API from the Javascript frontend?

I've already started developing Oauth 2.0 in my REST API and I already know about the "Implicit Grant Flow" which is the recommended flow for javascript clients. The problem is that this flow should only provide short lived access tokens (maybe 1 hour?).

The users of my system will typically login in the morning and work in the application all day (8 hours) and logout before leaving job, but if the access token lives only for an hour they would have to login again every hour which is not accepatble. How do you solve this?

Answer 1

We (Ping Identity) support sliding expiration of access tokens in our OAuth AS implementation - there's nothing OAuth 2.0 spec wise that says you can't do that. For other grant types you'd have a refresh token involved for longer lifetimes - but implicit doesn't work with them.

Not sure if you need a JavaScript OAuth toolkit, but here's one that's probably suitable for your purposes.