We plan to use OAuth 2.0 in our system and we don't feel comfortable with the security level. OAuth 2 became a standard in the industry, so I suspect we might miss something :-)
We need to protect the system APIs; some of the APIs expose access to user information and some are not. The user may use the system without login, and when later does an operation that needs his indentification he is required to provide his credentials.
So, we will first use the client credentials authorization grant to identify the client. We preferred this mode since it looks more secured to use the secret key. The client is java script application that loaded to the user-agent. The flow is:
- The user-agent requests the application's backend to load the application
- The client's backend will call the authorization server to authorize the client. It will provide the client_id and the secret_key. On success an access-token will be issued.
- The application that will be loaded to the client will include the access-token.
- The client will use the token to access the system API's
Q: Anyone can use the URL of the application. If you load the application, you have the access-token in your hand. You don't need to provide client-id or any secret...it is just there. So where is the security?
For the case the user needs to be indentified we thought of using the implicit authorization grant. In that case we don't use the secret-key since it is not a secret on the client. However, anyone that knows the client_id and has a registered user can get an access-token.
Q: So, the question again is about security, how do we know that the client that accessed the system is the real client?
Thanks,
Aviram
