Oauth2 password grant type with Doorkeeper and Angular

1
votes

I've got a Rails API that is using Doorkeeper with the password grant method for Oauth2.

Doorkeeper requires both the client_id and client_secret to be sent to the token request (/oauth/token), alongside the user's login details and scope.

How would I go about doing this in an Angular app? I don't like the idea of storing the client id and secret client side...

1
ruby-on-railsangularjsruby-on-rails-4oauth-2.0doorkeeper
Take a look of our flow stackoverflow.com/questions/25455132/… we are Also not sure about that and ask for opinion - Bartek S
@BartekS did you get anywhere with your implementation? - Chris Edwards
try this github.com/bslipek/angurailsSpike/tree/satelizer but not well documented :) - Bartek S
@BartekS Thanks, but that doesn't seem to use the API / Oauth the authenticate the user, but rather uses a regular rails controller to login and manually return a token... - Chris Edwards
Correct, you need to login user after each request on you backend. you decode JWT token and search for spec user (veryfied secret first). But yes, it is compicated :) try segments branch also... - Bartek S

1 Answers

2
votes

The client_id and client_secret should only be used when your app code is secured, i.g. inside your web server.

For browser web apps and mobile apps the oauth implicit flow or the password flow should be used.

  1. In the implicit flow, you only use the client_id.
  2. In the password flow, you exchange the username and password for an access token.