Which oAuth2 Grant should I use for a secure AngularJS site that fetches from API
I am looking for suggestions on the best strategy with this project.
I am creating a SaaS service in which a customer (tenant) can access the service using an iPad app or service website. The service website should be written in AngularJS and laravel. Authorization must be oAuth 2. Users registering on the website will have different roles and different capabilities. In the future, we may expand services and applications using all the same user accounts.
I am having trouble designing a good authentication and authorization strategy for a services website. Since the website will run AngularJS and connect to our own services API, I'm not sure what the best way would be to manage AUTH for the user as well as AngularJS. I understand that an iPad app will probably use something like "Resource Owners Grant", but what about the AngularJS site and code? Should I use Implicit Grant, JWT, or something else? When the user logs in, should they be provided with a TOKEN that resolves all pages in the AngularJS website? If so, am I using something like "Authorization Code Grant" and automatically allow the request without any redirection to the user?
I am also considering having a "login.php" page that authenticates the user and gives the token. It can embed the user profile into the "angularjs" page, and if there is no embedded profile on the AngularJS page, it is redirected to login. But with this solution, I'm still trying to figure out the best way to securely connect an AngularJS page to the API.
I'm pretty confused as the AngularJS site is more or less the front end to our API. But I don't think the user needs to authenticate the request, they should just be logged in.
Thanks for any suggestions or directions. -John
source to share
For your service website, you must use the Implicit Grant Type. This grant type is optimized for scripting in browsers and AngularJS is for sending API request (see Http and resource modules).
Your iPad app can use the Authorization Code Grant Type or Resource Owner Credentials Grant Type.
But don't forget that OAuth2 is an authorization protocol, not an authentication one. If you want to authenticate users using OAuth2, I recommend you implement OpenID Connect ( http://openid.net/connect/ ). Authentication is actually done using a JWT stored in a cookie or local storage.
You should look at the following pages; Google uses the same protocol for user authentication and authorized API calls:
source to share
The implicit grant type is considered by many (lucadegasperi oauth2-server-laravel among others) as the least secure for OAuth2 grant types, so I recommend that you use JWT for your service website.
To integrate JWT with Laravel check out the following library. It works very well and is also supported by the popular Dingo API package for Laravel ( https://github.com/dingo/api ):
Regarding the app (s), if the app is a third party app, please ask for the OAuth2 password as mentioned by Florence Morselli. If it's a third-party app, use the authorization authorization code instead.
source to share