1
Good guys.
I got into this: I have an application in the frontend of a server, which needs to communicate with a Rest API on another server, without the client having to log in. The app that will request or send what is needed to authenticate. This API generates tokens for authorization. how to order the token safely, via frontend and safely guard it as well ? Thank you for your attention
1
I have an application in the frontend of a server, which needs to communicate with a Rest API on another server, without the client having to log in.
I’m assuming you mean on a server S you have a web application WA, composed of both a back-end as to a front-end.
The app that will request or send what you need to authenticate.
By app, I understand the part back-end of the web application.
This API generates tokens for authorization. how to request the token securely, via frontend and store it securely as well?
If you want security, never manage tokens on the side client - never trust the integrity of the side client. Suggested implementation:
WA needs customized content from the remote REST API, get remote credentials and store them in the back-end (ex. User U1, remote token {4258041c-0180-4bdf-8f5f-962021225eca}).Hi, @Meiaesquerda. Thank you for your attention. But I don’t have access to the "S" server, I only have access to the "WA" frontend. For now, my idea is to create a temporary access, for "WS" when she requests it. Validating the source, then delegating it to a previously created permanent user in the API. And storing the returned token in a short expiration httpOnly cookie, as at least it is not exposed to javascript. I appreciate the attention and if anyone has a better idea, I’m all ears.
Browser other questions tagged javascript rest front-end authentication token
You are not signed in. Login or sign up in order to post.
1 - If the Api Voce is going to consult has https support, great, because as far as I know there isn’t much you can do on the client side only. 2 - Store token securely, I’ll wait for an answer too, I don’t know anything at the moment for this.
– Neuber Oliveira
Hi Neuber, thank you so much for the quick reply. My advantage is that this API, we are the ones who are developing, so yes, I can use HTTPS. Since I don’t have much experience with this, could you send me some link to how this could be implemented via https?
– Rene Souza
I found something that might be interesting, I’m still reading, but it’s still there for you to check out also Neuber: https://stormpath.com/blog/token-auth-spa and there’s this and this one https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
– Rene Souza