2 Replies Latest reply on Aug 13, 2015 10:10 AM by butch

    Is OAuth Token via grant_type=authorization_code WITHOUT server-to-server communication possible?


      One of our clients wishes to use our solution but they've firewalled their Jive server from the internet.


      This means our server cannot do the final CURL to oauth2/token described in OAuth 2.0 to fetch the final OAuth token/refresh token.


      You might ask if there is no server-to-server communication why do you need a OAuth token in the first place?  Trust me, we have a use case...


      One potential solution is to do the oauth2/token curl via AJAX in the clients side via passing all the data needed from the ticket query parameter.


      I've proof-of-concepted this - it works - but it it has a potentially huge security implication: the request requires both the client_id/client_secret of your application to be exposed to the end user.


      Question 1) Is there something I'm brain farting on where this is possible without exposing these credentials?


      Question 2) What are the security implications of exposing the client_id/client_secret if your app is not running as a signed package?  What could someone theoretically do with the client_id/client_secret of the Jive application other than grant themselves OAuth tokens?  I know in Facebook this is very bad - as you can get an OAuth token for app and do all sorts of things...  But if we're not using signed packages - what are some of the threats?  I suppose they could prompt the user with their own OAuth dance pointing to their own server and impersonate us?


      Obligatory ping to Ryan Rutan