Search code examples
jqueryoauth-2.0basecamp

What does the term "Backchannel Request" means and how to make backchannel requests


To be more specific:

I'm actually trying to integrate to Baseacamp using their new Basecamp api which supports OAuth 2.0. and thx to their poor resources & documentation i'm stuck at #4 of this documentation which says i have to make a backchannel request to get the access token (i have successfully completed 1-3 steps which means i have the verification code and state).

So if anyone have any idea about this beast then pls help me fight this ;)

I have used jso OAuth 2.0 lib which helped me complete 1-3 steps but this lib uses implicit authentication grant and basecamp uses authorization code grant. So i guess i have to do some manual client-server dance which is why i need to know what this Back Channel request means and how to make one?


Solution

  • If you're developing a javascript client application then you're using the wrong OAuth 2 scenario. The scenario used in the linked documentation is called "authorization code grant" and is meant for web application deployed to a remote server. The backchannel is used to obtain the token in the background between the app and the auth server without involving the user, so the token is not exposed even to the user. As embedded clients (javascript, mobile apps, etc) do not have a nicely separated remote environment thus they're vulnerable anyway, there's a simplified "implicit grant" scenario which does not include this backchannel query. You should be using the implicit grant flow.

    Based on the documentation you've linked, Basecamp uses a very outdated OAuth2 draft, namely version 5, the specs were released after version 31. In that old version the first scenario is identified by "type=web_server" (changed to "response_type=code" in specs), while you need "type=user_agent" (currently "response_type=token" in specs) to use the implicit grant scenario. I don't know if Basecamp has proper documentation for this, the linked documentation says it's supported, but nothing else.