yup thanks, have started to implement your advice On Wednesday, 10 June 2015 17:38:33 UTC+1, Stuart wrote: > > You should be putting the access_token in the HTTP header, not as a query > string variable > > On Tuesday, June 9, 2015 at 5:55:39 AM UTC-7, Callum Hopkins wrote: >> >> Hey Sander, >> >> Thanks for the reply. So I have my app setup as described in that article >> you shared under "Browser-based Apps >> <https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps>". >> >> The problem is that any request to the API with a url like: >> https://domain.com/api/1.0/getData?access_token=123456789abc >> can be copied and executed on another other website and/or through >> terminal. Is there anyway I can pass the access token from angular through >> the http/ajax request without a users being able to copy and paste the >> url/access token from their browser's inspector? >> >> Thanks >> >> >> On Tuesday, 9 June 2015 13:18:04 UTC+1, Sander Elias wrote: >>> >>> Hi Callumn, >>> >>> With OAuth2 you can authorize your angular client, without putting the >>> id and secret in the application. That's the main idea behind OAuth2. You >>> authenticate your client, and hand out an token to your web-app. On every >>> request, you add the token, so your server knows it's an authorized user. >>> This article >>> <https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified> >>> might help you. To authenticate, you can leave your secret on the server, >>> you don't need to transfer it to the web-app. >>> But if there is no need to put your REST inside a protected area, that >>> is certainly the easiest way out. However, be aware that this might make >>> your app vulnerable to scraping and other kinds of (ab)use, you might not >>> like. >>> >>> Regards >>> Sander >>> >>
-- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
