What should OAuth2 Grant use for the secure AngularJS site that draws from an API

advertisements

I am looking for suggestions on best strategy with this project.

I am building a SaaS service in which a client (tenant) may be able to access the service using an iPad app or the service website. The service website is to be written in AngularJS and laravel. Authorization is to be oAuth 2. Users logging into the website will have different roles for and different abilities. In the future we may expand services and apps, all using the same user accounts.

I am having problems working out a good authentication and authorization strategy for the services website. Since the website will run AngularJS and will connect to our own services API, I am not sure what the best way would be to handle AUTH for the user and also AngularJS. I understand that the iPad app probably will use something like "Resource Owners Grant", but what about the AngularJS website and code? Should it use "Implicit Grant", "JWT" or something else? When a user logs in, should they be given a TOKEN that authorizes all the pages on the AngularJS website? If so, do I use something like "Authorization Code Grant" and automatically authorize the request without doing some sort of redirect for the user ?

I am also considering having a "login.php" page that authorizes the user and gives the token. It could embed the users profile on the "angularjs" page and if the AngularJS page doesn't have the embedded profile, it redirects to login. But with this solution, I am still trying to figure out how to best securely connect the AngularJS page to the API.

I am quite confused since the AngularJS website is more or less an interface for our API. But I don't think the user should have to go through the "request authentication" process, they should just log in..

Thanks for any suggestions or direction.. -John

For your service website, you should use the Implicit Grant Type. This grant type is optimized for scripts in browsers and AngularJS is designed to send API request (see http and resource modules).

Your iPad app could use Authorization Code Grant Type or Resource Owner Password Credntials Grant Type.

But do not forget that OAuth2 is an Authorization protocol, not an Authentication one. If you want to authenticate users using OAuth2, I recommand you to implement OpenID Connect (http://openid.net/connect/). In fact, the authentication is done using a JWT stored in a cookie or the local storage.

You should look at the following pages ; Google uses the same protocol to authenticate users and authorized API calls:

Related Articles

What size can we use for the notification badge icon in FCM?

I am using FCM push notification for my app, everything is working fine. but right now, I am getting a small icon below my notification icon. See below image. Can any one tell me what is the size we can use for this icon? And how can we customize it?

What database structure to use for the site's search engine?

EDIT - Database Design C Based on @duskwuff's solution. I believe this is also what is referred to as a 2NF normalised database design. My concern now is over the fact that there are duplicate column values in this design (the same Keyword like Apric

What database do I use for the C # ASP.NET Web site?

I am developing an online internal web portal (like users write tests, provide document links to study, completing a study roadmap, admin user to view ststistics, etc). It caters some 150 users. I have planned to use ASP .NET with c# in Visual Studio

What data source to use for the ip conversion to the location?

Problem : I have the IP address of the user, I want to find out his location based on his IP Address Now, Possible Solution : ip2location.com maxmind.com Above sites provide the IP to location lookup service for Free. And there are some paid provider

What .net flavor is better for the E-Commerce site

I am new to ASP.NET. and having big job converting ASP E-commerce website (It has lots of things those are customised like business logic, having own Database structure) to ASP.NET. Here, I am getting confused with some issues... I am writing this he