Authentication design handling first JavaScript app and third party apps

I am going to create a web service with all resources exposed via RESTful API. I will have my own user database and the main way they will access the web service will be through the website, which I will also be writing. The website will be composed of HTML pages and JavaScript that will call the API.

There will also be third party apps that will be able to access the API as the user allows them to do so through my authorization server (which I plan to be physically identical to the API server). So using OAuth 2.0 looks like a good fit here.

To reduce complexity and improve maintainability, I would like to treat my own website in the same way that I would treat third-party applications with respect to authentication and authorization.

This, however, raises some concerns that I have not yet been able to satisfy my satisfaction. The following questions are for my website and not for third party apps as they will actually have an easier job in my opinion.

Using OAuth means adding an access token with every request. I can get an access token by specifying its username and password and using an implicit grant . But

• Implicit provision does not support the issuance of refresh tokens. So either I will force the user to log in from time to time by destroying the UI, or the issued access token will have a very long expiration date.

• The JavaScript application will need to store the access token somewhere. I have no experience with how this works, but my guess is that session or local storage is used to achieve this. But if an attacker gains access to the user's browser, he can send valid API requests on his own, as he will likely be able to read the access token. Is CSRF prevention enough to avoid this? Or should I just give up and assume that once someone gains access to the user's browser, all hell breaks down and there is no point in considering this threat in any additional way?

I've read so much about this over the past few days that I'm overwhelmed by the information and can't think of a definite solution. If I didn't end up having to support third-party apps, I would probably just set a forms authentication cookie that would be automatically added by the client to every request, and it would. But I don't want to have double logic for validating requests (access tokens for third party apps and cookies for my own site).

There are people who discourage implicit provision at all ...

Please, please, please just avoid the hidden grant, this is a bag of pain for everyone and it's just not worth implementing if you even care a little about user experience and security.

... which further adds uncertainty to my decision.

All communications will only use HTTPS, of course.

Edit . the official ASP.NET guide on how to secure an API using OAuth also uses the described flow above for a website (except they use the "Password" grant type, not "Implicit"), so maybe I think too much about it and should just take this route.