Share access token between frontend and backend

Dohakor-2286 · October 27, 2020, 8:40am

Hello

I am developing an application where I use the oauth2 blizzard to manage user authentication (because the application is reserved for wow players).

The stack was MySQL + Java Spring Boot + React.

I configured Spring Security to handle user login (redirect + endpoint protection). So I can get the user access token in the backen.
I’m doing some API calls with the backend to fetch data for the application logic.

But, I want to do some API calls on the frontend to display information etc … For that I want to share the user access token between the backend and the frontend.

It’s a good idea ? Or do I have to make all API calls with my backend ?

Thanks you very much

Dohakor

Schiller-1822 · October 27, 2020, 11:46am

For security It is generally a bad idea to share any OAuth2 access_token with the front-end as it might get intercepted by 3rd parties.

Beside the security there are a few other things to consider:

Some endpoints (if not all of them) are protected by CORS and will just not work on most scenarios.
You can’t properly handle the 36k req/hour limit from the client-side.
The user access_token gives access to some user’s personal information, that raises some GDPR/privacy concerns.
The API ToS specifically says you should never share your credentials. Since the token is created in the context of your application I assume it includes any token authorizing requests on its behalf.

Dohakor-2286 · October 27, 2020, 12:08pm

Oh ok
And if i add the oauth2 workflow on the frontend ?
I have a redundancy yes, but i can get the user access token and the token of the application without call the backend of my application.

Schiller-1822 · October 27, 2020, 1:07pm

That is even worse, that way you’ll have to expose everything including your own client credentials to the front-end.

Dohakor-2286 · October 27, 2020, 1:22pm

Oh :’(

have you any recommendation ?

Schiller-1822 · October 27, 2020, 1:50pm

You must handle all Blizzard API data on the server-side. Since you already have a server that should be easy to implement.

You can create simple endpoints just to proxy the data. I created this project to handle situations like this: https://gitlab.com/francisschiavo/blizzard-api-proxy

If you look at profile endpoints you’ll see the actual bnet token is mapped to another project specific token, that means the communication from the front-end to the back end will never leak a token that can used to access data directly from Blizzard, keeping the user token and your credentials safe.

Dohakor-2286 · October 27, 2020, 2:43pm

ok ok

Thanks you very much for your help !