{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 聊天终结者 的问题《OAuth2 - Is it safe to return the access-token to》','https://www.manongdao.com/q-953550.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm new to OAuth (1 & 2), and I'm developing the server side of a mobile app that has a form with a "Fill Details from Google account" button. I don't need any long-range authentication\authorization.
From here (Listing 2) I understand that the server should have a controller that:
- When called without a
codein the query it will refer the user to get one (in an AuthorizationEndpoint such as: https://accounts.google.com/o/oauth2/auth). - When called with a
codein the query, the server will send an HTTP request to the TokenEndpoint (https://accounts.google.com/o/oauth2/token) to convert the code to an access-token (using a secret-key that is passed in the request).
At this stage, my server is suppose to be able to use the access-token to fetch the user's details from https://www.googleapis.com/plus/v1/people/me - and then return the details to the user's app, to fill in its form.
Am I (the server developer) allowed to be lazy and return the access-token to the user, instead of its details? i.e., let the user app make the request to https://www.googleapis.com/plus/v1/people/me.
This will allow, in the future, to give more power to the client app without changing the code on my server.
Thanks
Your server should not expose its access token to client applications for several reasons.
The whole point of the OAuth protocol is to give safe and limited access rights to a 3rd party without exposing your own credentials (e.g. identifiers, passwords, etc). You shouldn't ignore this.
A token is issued to a specific OAuth client, in your case it's the server. Sharing the token does not change this. User details are still accessed on your server's behalf instead of the client app's, you're responsible in case of any problem.
An access token is supposed to be short living, it usually expires in a few minutes. Unless the client fetches the data immediately, it's no use. Refresh tokens are used as permanent grants, but you should never ever share them unless you intentionally want to screw up your server security.