Secure OAuth in Javascript

Question

I have an api which uses OAuth 1.0a to authenticate applications using it. It\'s replacing an old api which used a number of custom built and hodge-podge calls which are being d

Answer 1

So you have a website on example.com, and it needs access to api.com. Your extension assumes the user is logged in to example.com, extracts the session cookie and passes it to api.com to get an Oauth token. Sounds reasonable, but there are easier ways without having to write browser plugins.

In your case, api.com is going to communicate with example.com to verify the session cookie. There is a strong dependency between the two systems. OAuth is usually used where example.com and api.com do NOT trust each other.

Because the two systems already have some sort of trust in each other, you can do various things to simplify the architecture :

1. You can create a proxy hosted on example.com/api/* that verifies the session and then blindly forwards to api.com/*. As far as the browser is concerned, there are no cross-domain requests, so everything works great.
2. You can use federated login across domains. This is more complicated than the proxy method, but you can easily find an existing implementation for your platform.