Using the oAuth Auth-code grant type, how do you ensure secure communication between the client and user agent?

0
votes

I've been going over the oAuth auth-code grant type and from what I have read, I understand that you use the Auth-code grant over the implicit grant when you want to keep the token away from the user agent. This allows you to have communication between the client and backend-API be secure. But once you do that and the client has the token needed to communicate with the api, how should the client and user-agent communicate securely?

I was going to have the client have it's own API that the user-agent could access, which would use the access-token to access the backend-API. I could make that communication secure by implementing implicit grant oauth between the user-agent and client server, but that seems unnecessarily complicated, because you would have 2 layers of oAuth. I feel like I've misunderstood something here, so any clarification on this would help.

1
apisecurityauthenticationoauth

1 Answers

1
votes

In this scenario ,we are talking about security of two API's :

1.) Backend-API - which you client is consuming.

Security : OAuth auth-code grant type is being used here for securing this backend-api so that the client can access this backend-api using an access token received using an auth code .

Here user -agent is only used to get an auth code to get the access token for accessing API.

2.) Client's Own API - which will be consumed by users to access data retrieved by Backend-API.

Security : The developer of this API would need to implement security of this API depending on the client and many other factors. Now there are many protocols and techniques to secure an API eg: using Basic Authentication, Oauth 1.0a or Oath 2 ,JSON Web Token (JWT), using API keys etc. You would find many resources on how to secure an API.

Here user -agent will be used to access the client's own API.

Conclusion :

Point to note here is that the security implementation of CLient's own API has nothing to do with the security implementation of Backend- API . These are 2 different API used for 2 different purposes and will have their own security implementations .

And user agent is used to get auth code in first scenario (i.e accessing backend API) and will be used to access Client's Own API in (after the access token is received ).