Hi Guys,
At the company I work for we are currently working on bringing a web application we created for a client into the modern world, with the eventual goal of turning it into a commercial product. The project is currently an old style PHP program which is basically an assortment of PHP files, pseudo models/services and ajax posts to PHP files.
We are looking to bring this project into the modern day and so have begun working on separating the front and backend into their own components, with the eventuality of the backend turning into a kind of MVC application which is a REST api (I know, it's buzzword galore).
The problem we are facing is the current authentication system will not be secure enough to work with this new style of program, and so it needs an overhaul. We were thinking of going for OAuth2 with the Implicit Grant Type; however this is presenting us with a problem, we don't want to use an Authorisation controller as there will only be one application accessing the API, ours.
My question to the community is has anybody else designed or worked on a similar system, or problem and how have you solved it? Is there a way to use Implicit Grant Flow without using the Authorisation controller, and if not what is a better way to deal with authentication in this style of application. We do not want to store any username / password type information on the client side for security purposes.
Thanks ever so much for your time.
Carwyn Nelson (Bacondrinker)
TLDR: Basically, we are looking for a way to authenticate a client (javascript web interface) with a REST api securely, where the client is not trusted to store the user data locally. Is OAuth2 Implicit Grant Type a good implementation, and can we use it without the Authorisation controller.
