Anyone wanna have a quick, conceptual chat about accessing an OAuth2 based API with JS? I need sanity checks.
@broox @clint how conceptual?
@broox @clint I did that once, and it actually worked well. Sure felt strange, though!
@broox i’m game, get my phone number from @leed0 or @clint or follow and i’ll dm
@BonzoESC @leed0 @clint hit me up at [email protected] on email, hangouts, whatever!
@broox @clint try t.co/jbEnYbeNgo - advice is don't try and do it yourself way to easy to mess it up.
@broox @leed0 @clint added on hangouts
@scottgal @clint implicit grants aren't sufficient as we need to authenticate userless clients as well.
@broox @clint For userless you can only really use t.co/bJrSwMD6Fk Client Credentials Grant...but can't see how to secure that on JS.
Could get an access token with a short lifecycle or call an API you control to make the requests for you. You would still need authentication, so you will need some sort of OTP or short lifecycle token you generate.
Depends somewhat on the version of OAuth2 the API provided. Google has a good article on how to call their API's, but they did OAuth 2 correctly:
developers.goog...OAuth2UserAgent
Depends somewhat on the version of OAuth2 the API provided. Google has a good article on how to call their API's, but they did OAuth 2 correctly:
developers.goog...OAuth2UserAgent
what makes you think our OAuth2 API wasn't built correctly? ;)
I DID OAUTH2 CORRECTLY TOO
Wasn't sure if you were consuming yours or a 3rd party API.
the tricky part is that we have some endpoints that use the client_credentials flow, so we can't do pure JS/implicit grants
@scottgal yep, i totally understand that... i've built something that supports both client and user grants. email me! [email protected]
@BonzoESC @broox @clint I will spare you an awkward hangout, my email is lee at arstechnica dot com