Menu
I am creating an API and a separate front-end app that will consume said API. In my particular case I'm using Laravel Passport for my API and some VueJS for my frontend app.
In order for a user to create an account, a user must POST to a route (/oauth/token) on the API which, requires a client_secret to be passed (https://laravel.com/docs/5.3/passport#password-grant-tokens).
The only options I see are:
client_secret sent as a header from my frontend app. However, putting this token out in the open doesn't seem smart.client_secret at all. This doesn't seem much better than option 1.client_secret and then send it to the API. While this is obviously the most secure, it seems to partially defeat the purpose of a fully static frontend (SPA).What's the best practice for this type of approach? I've searched for how this is dealt with in general with an API and SPA, but I haven't found anything that points me in the right direction.
606
The Auth0.js library can be used to authorize the user of the SPA and obtain a valid Access Token which can be used to call the API (see Authorize the User) The SPA can pass the Access Token in the HTTP Authorization header when making calls to the API (see Call the API)
Webhooks Release Notes User Registration APIs Overview This page contains the APIs that are used to manage User Registrations. A registration is the association between a User and an Application that they log into. Here are the APIs: Create a User Registration (for an existing user) Create a User and Registration (combined)
There’s a ton of Azure samples detailing how to call a Graph API but very little about calling an API outside of Azure e.g. on-premises. Most of the applications are .NET MVC or .NET Core. There’s not a lot related to SPA applications. The SPA sample was derived from the sample you get using the Identity Platform.
Create a REST API [Part 3]: User Registration and Validation 1 Validation#N#When a user registers with our API, we will need to do some basic checks to make sure they are using a... 2 Create the register route#N#In your users.js file, bring in bcrypt, crypto, your database.js file and the validation... 3 Testing the /register route More ...
From my point of view, the Laravel Passport component seems to implement the OAuth2 Framework Protocol incorrectly.
The client_id and client_secret parameters are not part of the grant type.
For the Resource Owner Password Credentials grant type, the required parameters are username and password (see RFC6749 section 4.3.2).
client_id and client_secret are used to authenticate a confidential client that sends its credentials through the body parameters (see RFC6749 section 2.3.1). The Laravel Passport component should allow other client authentication schemes (especially the HTTP Basic Authentication Scheme). The RFC6749 also indicates that
Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme
The OpenID Connect Core specification lists some of those schemes in its section 9. The RFC6749 does not indicates how public clients (e.g. SPA) should authenticate against the token endpoint. They are supposed to use the Implicit grant type which does not require a client authentication.
Anyway, a solution could be to use a kind of proxy. This proxy has to be installed on a server. It will receive all requests from the SPA (without client secret), add the client secret and transmit the modified request to the Laravel Passport endpoint. Then the response is sent to the SPA. This way the SPA never exposes the client secret.
177
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
