Doorkeeper: Doorkeeper Vue frontend with API backend

Created on 25 Apr 2019  路  7Comments  路  Source: doorkeeper-gem/doorkeeper

Hi,

I plan the following architecture for a small application:

  • myapp.com

    • Oauth provider with doorkeeper, doorkeeper-jwt and devise authentication

    • Web SPA app with Vue frontend and API backend (register, login, logout, etc.)

    • Later a mobile app that uses the API backend and authenticates with the oauth provider.

Oauth provider and API backend are the same Rails application. I'm desperate and looking for days to find a secure solution how to implement it. I read about how to not store tokens (refresh tokens) on browsers local and session storage. I also read about HttpOnly cookies etc. I have also read about SPA + API apps and that Authorization Code Flows are more secure then Implicit flows.

  1. Can the SPA app that serves the login form for Doorkeeper also be an oauth client using Authorization Code Flow of the doorkeeper provider?
  2. How to store refresh tokens in a secure way?
  3. Any idea what I misunderstand or what is bad in my design?

Suggestions are very appreciated!

questiodiscussion wontfix

Most helpful comment

Hi @nbulaj! Thank you for the reply. I have found all answers to my questions by myself. But now I'm confused with the config api_only.

How can I do a redirect of /oauth/authorize actions if doorkeeper is configured as api_only? I want to code views by my own SPA app with login form and authorize app question form. api_only renders always a JSON as response.

How solves other developer this scenario? I cannot find nothing about that in other issues and wiki pages.

All 7 comments

Hi @matthewford . Actually you can use Stack Overflow to ask such questions. GitHub issues tracker we use to add issues and, possibly, feature requests.

Hi @nbulaj! Thank you for the reply. I have found all answers to my questions by myself. But now I'm confused with the config api_only.

How can I do a redirect of /oauth/authorize actions if doorkeeper is configured as api_only? I want to code views by my own SPA app with login form and authorize app question form. api_only renders always a JSON as response.

How solves other developer this scenario? I cannot find nothing about that in other issues and wiki pages.

There does seem to be a lack of documentation on how to properly implement doorkeeper in api_only mode with a detached frontend.

@phlegx I have the same questions as you except I have a React frontend! Can you please the answers to your questions when you get the chance?

Is this solved? how was your implementation with api_only?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@veeral-patel @errawn have you found a solution?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

f3ndot picture f3ndot  路  6Comments

krtschmr picture krtschmr  路  6Comments

ianbayne picture ianbayne  路  3Comments

ulitiy picture ulitiy  路  5Comments

rafaelsales picture rafaelsales  路  4Comments