5

I am designing a web application that is mainly divided into following two parts

  1. Web site (UI) : Node JS Express application will be hosted as www.mysite.com
  2. Rest API: Business logic(Atuhentiation, Authorization, business logic) and will be hosted as some different domain for example api.mysite.com

I want to implement the OAuth2 for this application. I read through OAuth2 and understood it's various flows and based on my understanding, I concluded that "Resource Owner Password Credentials" flow is a way to go as Client and Service both belongs to me and user will also directly register with my application and thus they will provide username and password.

I researched a lot around "Resource Owner Password Credentials" flow but this flow is very less talked and documented. I have very little idea close to ZERO that how I should implement this flow in my application. I am developing Website and Rest API in Node JS. Please guide me around how should I implement this ? Any demos, documentations will be helpful.

Thanks in advance !

Improve this question
1
  • 1
    were you able to make any progress using Resource Owner Password Credentials style ? Can you share what open source libraries you used. Commented Jun 15, 2017 at 8:36

1 Answer 1

Reset to default
2

You are right. Its very little documented, plus it is often misleadingly explained wrong. Most explanations of that flow do not point out, that there are two different situations for that flow.

If you have a SPA or similar open apps, you do NOT want to have the client id nor the client secret with the ROPC flow. Because, everyone could read it. Also, it is not required in the RFC.

Your situation is about 2-legged oauth without delegation.

Here is a very good article about how to secure the ROPC flow: http://andyfiedler.com/2014/09/how-secure-is-the-oauth2-resource-owner-password-credential-flow-for-single-page-apps

Hope that helps, I currently struggle with the same issue.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.