Web app OAuth
Hi, I'm developing an app with Box integration. The app has only the client part, with no server. I'm not sure which authorization flow should I use, as the Box has only the `code` OAuth flow.
the first concern I have is exposing the 'client secret' code - I need to store is somewhere in a config file. Then there is refreshing the access token - with Box OAuth there is only the refresh token which I assuming is not the right choice for the web app either.
Could you please advice how to achieve safe authorization, ideally with some kind of "silent" refreshing of the access token?
-
hi,
our app should be capable of reading / writing files to various services - GDrive, Box, Dropbox etc through the OAuth2 authorization flow.
We have no backend available, so we can't store securely refresh tokens, nor the client secret Id's. For example, for the GDrive we are using scenario described here https://developers.google.com/identity/protocols/OAuth2UserAgent. It performs the OAuth2 implicit grant flow.
I'd like to know how to securely perform the OAuth2 authorization to BOX api with no backend (without the client secret Id). Or, is it ok to store the client secret on the client side?
Please sign in to leave a comment.
Comments
3 comments