AngularJS + OAuth

Here is a simple example using just redirects with angular js Here is how to redirect to authentication angular.module(‘angularoauthexampleApp’) .controller(‘MainCtrl’, function ($scope) { $scope.login=function() { var client_id=”your client id”; var scope=”email”; var redirect_uri=”http://localhost:9000″; var response_type=”token”; var url=”https://accounts.google.com/o/oauth2/auth?scope=”+scope+”&client_id=”+client_id+”&redirect_uri=”+redirect_uri+ “&response_type=”+response_type; window.location.replace(url); }; }); Here is how to handle the redirect after authentication angular .module(‘angularoauthexampleApp’, [ ]) .config(function … Read more

OAuth 2: separating resource server and authorization server

OAauth2 framework docs : https://www.rfc-editor.org/rfc/rfc6749 (A) The client requests an access token by authenticating with the authorization server and presenting an authorization grant. (B) The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token and a refresh token. (C) The client makes a protected resource request to … Read more

How to interact with back-end after successful auth with OAuth on front-end?

We have 3 main security concerns when creating an API. Authentication: An identify provider like Google is only a partial solution. Because you don’t want to prompt the user to login / confirm their identity for each API request, you must implement authentication for subsequent requests yourself. You must store, accessible to backend: A user’s … Read more

Issuing “API keys” using Keycloak

I finally found a solution that works well and seems to be “the Keycloak way” to issue credentials to external applications. To create a new set of credentials, add a new Keycloak client and change the following settings: Standard Flow Enabled: OFF Direct Access Grants Enabled: OFF Access Type: Confidential Service Accounts Enabled: ON The … Read more

What is an opaque token?

A JWT has readable content, as you can see for example on https://jwt.io/. Everyone can decode the token and read the information in it. The format is documented in RFC 7519. An opaque token on the other hand has a format that is not intended to be read by you. Only the issuer knows the … Read more