I'm about to start developing a Business application where I want the frontend to be a single page javascript solution. The backend is provided as a REST API. How can I in a safe way access the REST API from the Javascript frontend?
I've already started developing Oauth 2.0 in my REST API and I already know about the "Implicit Grant Flow" which is the remended flow for javascript clients. The problem is that this flow should only provide short lived access tokens (maybe 1 hour?).
The users of my system will typically login in the morning and work in the application all day (8 hours) and logout before leaving job, but if the access token lives only for an hour they would have to login again every hour which is not accepatble. How do you solve this?
I'm about to start developing a Business application where I want the frontend to be a single page javascript solution. The backend is provided as a REST API. How can I in a safe way access the REST API from the Javascript frontend?
I've already started developing Oauth 2.0 in my REST API and I already know about the "Implicit Grant Flow" which is the remended flow for javascript clients. The problem is that this flow should only provide short lived access tokens (maybe 1 hour?).
The users of my system will typically login in the morning and work in the application all day (8 hours) and logout before leaving job, but if the access token lives only for an hour they would have to login again every hour which is not accepatble. How do you solve this?
Share Improve this question asked Apr 4, 2012 at 6:32 rgullhaugrgullhaug 1,1152 gold badges10 silver badges21 bronze badges 1- 1 One solution I can think of is to instead of return an access token which expires in 1 hour I can return an access_token with a sliding expiration. For every call the client makes to the API the expiration time is renewed with i.e. 20 min. But is this considered safe? I've never seen Oauth servers using sliding expiration? – rgullhaug Commented Apr 4, 2012 at 8:39
1 Answer
Reset to default 5We (Ping Identity) support sliding expiration of access tokens in our OAuth AS implementation - there's nothing OAuth 2.0 spec wise that says you can't do that. For other grant types you'd have a refresh token involved for longer lifetimes - but implicit doesn't work with them.
Not sure if you need a JavaScript OAuth toolkit, but here's one that's probably suitable for your purposes.