0

I'm trying to add Dropbox support to my client-side-only Javascript app (http://bbc.godbolt.org/). As best I can tell I can't authenticate without my site being hosted on a secure server.

For a variety of reasons it's tricky for me to get an HTTPS server set up, and as I'm not using server endpoints I don't see why Dropbox/OAuth mandates an https:// source URL.

I can't find any reference to this limitation, but I can't configure a non-HTTPS server in the Dropbox configuration for my app; and without specifying my endpoint the client-side authentication fails.

Am I missing something?

Thanks!

Improve this question

1 Answer 1

Reset to default
1

HTTPS is required by the OAuth 2 spec for good reason... the access token returned at the end of the authorization process is in plain text and could be stolen if not sent over a secure channel.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

I understand this, but as a client-side app I thought this restriction would be lifted. It wasn't clear to me that the token need be transmitted anywhere for client-side: it was "simply" a redirect with the token in the URL hash. The redirect is sent over HTTPS from the login server, but the URL it redirects to need not be secure as the hash part (after the # in the URL) is not sent on.
I think the issue there is that without HTTPS, it's hard to guarantee that the user is being redirected to the right location and not some malicious server. (Also, the recipient page could be tampered with in transit, e.g. causing it to send the access token elsewhere.) I admit I'm not an expert on this, but the OAuth 2 spec seems clear that the redirect URI must always use TLS.
However, this sounds like a limitation of the Dropbox client rather than anything else: the OAuth redirect must use TLS, but there's no reason that the redirect must occur on the top-level frame. For example, from what I can see (in Chrome's inspector) Google's JS client opens up an HTTPS iframe to perform the OAuth request, and (at least on Chrome) tunnels the token back to the parent iframe using window.postMessage().
But to re-add a word of caution, you really shouldn't do this. If your main app (which eventually sees the access token) isn't delivered over HTTP, users of your app are susceptible to losing their access tokens to attackers that manipulate the content of the page.
Yes, sorry, I meant "isn't delivered over HTTPS."
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.