

HelloJS – Client-side OAuth for JS - sidi
http://adodson.com/hello.js/

======
reubano
Hmm, I don't see any mention of security. I can't find the source, but I
remember reading that if you wanted to restrict access to certain pages on
your site to authenticated users in a single page app it was more secure to do
it server side. Security experts feel free to chime in.

~~~
laurent123456
Assuming OAuth uses random numbers (don't remember if it does), one issue
could be that the RNG of Javascript is not cryptographically secure. I'd be
interested to hear the opinion of a security expert too.

~~~
pluma
I don't see any reason why it would need random numbers for OAuth 2.0. Part of
the reasoning that went into the OAuth 2.0 spec is that not all applications
might have access to encryption, so encryption should only be used at the
protocol level (i.e. HTTPS).

As it requires an "OAuth proxy" for OAuth 1.0a and some implementations of
OAuth 2.0, it seems that it offloads the crypto (and secret API key) to that
proxy.

------
wyuenho
HelloJS is great. I've used it in my last project. It just works. It's well
tested, and well documented. There's very little option twiddling required. It
just worked seemlessly when I was trying to setup Twitter, Google, LinkedIn
and Facebook OAuth logins.

~~~
adodson
Nice endorsement

------
shaydoc
This is great, perfect for little consumer web apps. I am so happy about this,
becuase we (my dev buddies) have just had an idea for a little social game
that would be great if ported onto the web. I think I have just solved our
simplistic user auth needs by reading this article.

Thanks for sharing.

------
pluma
How does this get away with not using the client secret? I thought OAuth 2.0
always required a three-way handshake (client is sent to provider, provider
sends client back to service, service exchanges grant token with the
provider).

Does this mean in Facebook, Google etc the grant token and the access token
are identical?

------
1337badger
This is a terrible idea that is full of security holes! If you can call having
paper-thin pseudo security a hole.

~~~
bikamonki
Security holes such as? Please elaborate.

~~~
1337badger
From what I gather you are leaving the api_tokens for the services in local
memory. This means that the user or anyone else that can get there hands on
the token can act on the service providers api masquerading as your
application.

~~~
heme
Is not a session cookie the same thing? I'd argue if your tokens only live in
memory they can be more secure. It also depends how long your tokens live or
how many requests they are good for. No?

~~~
1337badger
Usually the token kept in memory is one distributed by the application and is
not that which the services send back. This allows greater restriction on
actions and make it far easier to revoke effectively

~~~
heme
_Usually the token kept in memory is one distributed by the application and is
not that which the services send back._

What is _application_ in that sentence? The API?

Isn't that what this lib does?

 _A client-side Javascript SDK for authenticating with OAuth2 web services and
querying their REST API 's._

\- I assume the API issues the token \- This lib receives it and uses it for
subsequent calls \- The token is destroyed when browser session is closed.

~~~
1337badger
I am referring to the application you are writing

------
plingamp
Very interesting project! Can you explain what some of the differences are
between this library and PassportJS?

~~~
adodson
PassportJS = NodeJS authentication, designed for single sign-on.

HelloJS = Browser + Phonegap authentication and API request handling designed
to interact with thirdparty services from the client app.

~~~
technological
Firebase simple login does provide similar functionalities right ?

------
joeframbach
Could you explain why I should favor client-side auth over server-side auth,
especially if I want to do some action on behalf of the user, like generating
word-clouds of their posts, etc. And what makes helloJS different from
oauth.io, which has open-sourced their server?

~~~
hippich
may be if you change view on what and where software should be doing it might
click together. i.e. for example all real work happens on client and client
app offloads only storage of computed data to your servers via separate
authentication. this is shift of paradigm back again to "desktopish apps", but
still quite viable in certain situations.

~~~
joeframbach
And if you want to offer a desktop app, a web-based app, and native ios,
android, fire, and tinzen apps, then all that _client_ code is duplicated. And
good luck if you need to update them all.

------
adodson
Thanks for sharing my project HelloJS

~~~
drcode
Hi... thanks for writing this. As a newb on these sorts of issues, I have some
questions:

1\. So this is 100% client side... Why do I see "npm" in the instructions?
Isn't that connected to nodejs? What if I'm writing a java web server app,
will this still work, or does it need to talk to a nodejs server somehow?

2\. I take it none of this hits a third party server (i.e. your server)?

3\. How do I get the user's info obtained via authentication (gmail address,
etc) to my server, in a way that is secure, if this is all client & browser
based?

~~~
dubcanada
1\. NPM is just an easy way to install it, you can also use bower or just
download the source and minified packages.

2\. I see no reason why it would.

3\. It's all client based regardless of how you do it, it just adds cookies.
If you want to get the information server side just get it server side (PHP
example
[https://github.com/thephpleague/oauth2-client](https://github.com/thephpleague/oauth2-client))
there is no need to get it client side if you need it server side with a
server side library (thus why NPM is shown as node is server side).

------
tsmash
Once you're authenticated in a client web page, lets say you want to perform
data storage on your _own_ server using this authenticated user as validation.
How would your server validate the user's login is valid to accept user
actions?

~~~
adodson
Make a server-to-server call using the token to check its validity.

There's more comments on this subject here
[https://github.com/MrSwitch/hello.js/issues/22](https://github.com/MrSwitch/hello.js/issues/22)

------
bzelip
I really like adodson's web game. Check out
[http://adodson.com/#escape](http://adodson.com/#escape) for browser MineField
& Flood It.

------
knackers
Looks great. It's such a pain to write separate authentication / profile
retrieval logic for each service.

------
ishi
This looks pretty awesome. Could it be used for importing email contacts from
gmail/yahoo/live etc.?

~~~
adodson
@ishi take a look at this example
[http://adodson.com/hello.js/demos/friends.html](http://adodson.com/hello.js/demos/friends.html)

------
j-rom
This looks amazing. Are you planning on adding any other services?

~~~
adodson
Yes, but its a pretty arduous task digesting and implementing API docs. That
pain was the impetus to standardize them into the HelloJS library.

------
blueskin_
Client-side authentication. In javascript.

What could possibly go wrong? ;)

------
sleepychu
Oh my god the kerning on that font.

~~~
adodson
Point and space taken. Now it is readable - and I rather dread the
consequences.

