-I have a SPA application in javascipt
-A webapi service .net
-A token service in a same project .net
Problem 1
Spa application make an ajax request to token endpoints using grant_type password. in return it gets back a token that is saved in localstorage and later on used for authenticating webapi . 1. Is this the correct approach for SPA authentication ? 2. Is password grant type correct approach ? or I need to use some other flow to make it secure. In oauth documents it written it should not be used. 3 I am concerned about security of token as it can just be copied and pasted. How to secure it?
problem 2 Custom SSO with token service
Now i have an another application using same architecture . Like application A and B. Uses same archtecture. I want to use token service of application A to issues a token to application B to log into application B.
Token issued by A to application B can be dencrypted and I can create user identity.Now how can we login to application B as it also follows a token based approach . So here should I login to application B by creating a new local accesstoken issued itself using information from token issued by application A.
- Is this the correct approach for SPA authentication ? 2. Is password grant type correct approach ? or I need to use some other flow to make it secure. In oauth documents it written it should not be used.
Using the resource owner password credentials grant is fine when developing your own application but defeats the whole purpose of OAuth2 when using it with third-party client applications, as it's the only flow where the user password is directly exposed to the client application (which breaks the principle of least privilege).
You may consider using the authorization code or the implicit flow instead, but it's not necessarily "more secure" and often considered as an overkill by people looking for a simple "token alternative" to password authentication.
3 I am concerned about security of token as it can just be copied and pasted. How to secure it?
Since you're developing a JS app, bearer tokens are directly accessible by the user. There's nothing you can do about that (it's similar to the security level of cookies, that can be easily copied and moved to a different environment by the user himself).
To protect access/refresh tokens against remote attackers, all you can do is making sure your JS app is not impacted by a XSS breach, that would allow stealing them or making malicious API calls on behalf of the user.
So here should I login to application B by creating a new local accesstoken issued itself using information from token issued by application A.
SSO won't really work with non-interactive flows like the resource owner password credentials grant, as the user is not logged in to the authorization server in this flow (i.e no session cookie is created when making a grant_type=password request).
You should consider setting up a central authorization/authentication server supporting an interactive flow like the authorization code or the implicit flow to support this scenario.