Sep 4, 2016
0
Level 2
Passport - replacement for user authentication?
Hi, is it a good idea to use Passport just for user authentication? I have my own (first-class) client Javascript application, so I can create new oauth Password Grant Client. Docs say:
$response = $http->post('http://your-app.com/oauth/token', [
'form_params' => [
'grant_type' => 'password',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'username' => '[email protected]',
'password' => 'my-password',
'scope' => '',
],
]);
But how and where to hide the client_secret? It is javascript app and anyone can see its source code - after that it can simulate my app/first-class client.
The second question is how can Password Grant Tokens work with multiple devices/browsers? Can be user authenticated in multiple browsers? Thank you
Please or to participate in this conversation.