You should be putting the access_token in the HTTP header, not as a query string variable
On Tuesday, June 9, 2015 at 5:55:39 AM UTC-7, Callum Hopkins wrote: > > Hey Sander, > > Thanks for the reply. So I have my app setup as described in that article > you shared under "Browser-based Apps > <https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps>". > > The problem is that any request to the API with a url like: > https://domain.com/api/1.0/getData?access_token=123456789abc > can be copied and executed on another other website and/or through > terminal. Is there anyway I can pass the access token from angular through > the http/ajax request without a users being able to copy and paste the > url/access token from their browser's inspector? > > Thanks > > > On Tuesday, 9 June 2015 13:18:04 UTC+1, Sander Elias wrote: >> >> Hi Callumn, >> >> With OAuth2 you can authorize your angular client, without putting the id >> and secret in the application. That's the main idea behind OAuth2. You >> authenticate your client, and hand out an token to your web-app. On every >> request, you add the token, so your server knows it's an authorized user. >> This article >> <https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified> might >> help you. To authenticate, you can leave your secret on the server, you >> don't need to transfer it to the web-app. >> But if there is no need to put your REST inside a protected area, that is >> certainly the easiest way out. However, be aware that this might make your >> app vulnerable to scraping and other kinds of (ab)use, you might not like. >> >> Regards >> Sander >> > -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
