OAuth, Javascript, Backend Infrastructure

When there is an alternative, it is more secure to keep tokens out of the browser.

Specifically talking about clients which are divided between a front end or javascript app, and backend supporting systems specifically for that/those apps

Questions on whether this would also apply equivalently to native apps, which may have different capabilities and infrastructure requirements. It likely does work, but

OAuth in the browser can be complicated and ASs don’t necessarily provide sufficient security features, support web interaction

Bespoke workarounds acquiring tokens on the backend and passing to the frontend. Implementers may have security issues and not understand how to map best current practices


  1. Backend gets and stores tokens, javascript frontend gets a cookie
  2. Request to backend for access (scopes, potentially resource)
  3. Backend returns the token, requests new token with appropriate scope, etc.

What is the scope - acquiring a token for direct API access, not necessarily prescriptive for BFF architectures which put all API interactions through BFF. (DW) raised issue that simply converting OAuth calls in a remote party to local API calls protected by a cookie disables some security protections provided by OAuth tokens (XSRF), so some sort of BFF best practices may be needed to prevent footguns.

It features two dice, one for grants and another for application types. Throw the dice and consult the instructions to discover whether the combination of grant and application type you obtained happens to be a good one! Play a few times, and before you know it, you’ll be familiar with the most common combinations!

Aaron Parecki - Mr. OAuth has a new course out on Udemy

3.5 hours of video content, quizzes, as well as interactive exercises with a guided learning tool to get you quickly up to speed on OAuth, OpenID Connect, PKCE, best practices, and tips for protecting APIs with OAuth.