4

There is Authorization OAuth2 Server to get access+refresh token. As far as i understand, access token can be stored on client-side, because it has short live circle. But can refresh token be stored there? According information that I've read, there is no secure way to do it(here)

So, I have to implement separate server-side service, just to store refresh token.

Am I right? Is it only one possible way to store refresh token?

P.S. Client-side: angularJS

Improve this question
4
  • If you have a single page you can store it in memory, if you have multiple pages use localStorage. Just make sure that your server only accepts request from trusted domains or trusted client_Id's. Commented Feb 19, 2016 at 14:03
  • @A1rPun Is localStorage totally secured? And actually client_id is public information Commented Feb 19, 2016 at 14:13
  • LINK: After registering your app, you will receive a client ID and a client secret. The client ID is considered public information, and is used to build login URLs, or included in Javascript source code on a page. The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as Javascript or native apps, then the secret is not used. Commented Feb 19, 2016 at 14:30
  • 1
    I stumbled accross this article recently : bitoftech.net/2014/07/16/… Commented Feb 19, 2016 at 14:34

1 Answer 1

Reset to default
1

Yes you are right. If you cannot authenticate with the Authorisation server (i.e. pass client ID and secret) then you will only get a short-lived access token.

As Angular code is on the client it would be insecure for it to hold your client secret. Therefore you can not pass your client secret to the Auth server, so you can not authenticate.

Also your server code would not just store a token, it would be expected to host an endpoint which would accept an auth code and then call the Auth server with that code (and your client credentials) to get a token and refresh token.

The auth code would be supplied to your server endpoint via a call from the auth server via an http redirect following successful user login and user granting access to your app.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.