As you probably know, the question describes the most common (and usually, the more secure) OAuth “Authorization Code” flow. To be clear, here’s an approximation of the steps in this flow:
- User indicates that they wish to authorize resources for our application (for example, by clicking on a button)
- The application redirects the user to the third-party login page, where the user logs in and selects which resources to grant access to
- The third-party service redirects the user back to our application with an authorization code
- Our application uses this code, along with its client ID and secret to obtain an access token that enables the application to make requests on behalf of the user only for the resources that the user allowed
Until step 2, everything happens in the client side. But in step 3, I need to have client_id and client_secret. I don’t think it’s a good idea to store these values in the client side. Does that mean I need to have a backend server that has these two values[?]
You’re correct, it’s certainly not a good idea to store these values in the client-side application. These values—especially the client secret—must be placed on a server to protect the application’s data. The user—and therefor, the client application—should never have access to these values.
The server uses its client ID and secret, along with the authorization code, to request an access token that it uses for API calls. The server may store the token it receives, along with an optional refresh token that it can use in the future to obtain a new access token without needing the user to explicitly authorize access again.
…and my backend should convert CODE123 to TOKEN123 and hand it to the client side?
At the very least, our server should handle the authorization flow to request an access token, and then pass only that token back to the client (over a secure connection).
However, at this point, the client-side application (and the user of that client) is responsible for the security of the access token. Depending on the security requirements of our application, we may want to add a layer to protect this access token from the client as well.
After the server-side application fetches the access token from the third-party service, if we pass the access token back to the client, malware running on the client machine, or an unauthorized person, could potentially obtain the access token from the client, which an attacker could then use to retrieve or manipulate the user’s third-party resources through privileges granted to our application. For many OAuth services, an access token is not associated with a client. This means that anyone with a valid token can use the token to interact with the service, and illustrates why our application should only request the minimum scope of access needed when asking for authorization from the user.
To make API calls on behalf of a user more securely, the client-side application could send requests to our server, which, in turn, uses the access token that it obtained to interact with the third-party API. With this setup, the client does not need to know the value of the access token.
To improve performance, we likely want to cache the access token on the server for subsequent API calls for the duration of its lifetime. We may also want to encrypt the tokens if we store them in the application’s database—just like we would passwords—so the tokens cannot be easily used in the event of a data breach.