"it depends" :) Apigee had a good article on this recently: http://blog.apigee.com/detail/api_authentication_and_how_it_got_that_way_from_http_basic_to_oauth_2.0/
Richard On Monday, September 17, 2012 11:27:01 PM UTC+1, Dan Milon wrote: > > Hello Community, > > Sorry for going off topic, but I'm sure there are people here who could > help me. Although most of the stuff described below are build in node, > my question is more of an architectural one. > > I'm developing a public HTTP backend API for a service. On top of that, > there is a web app that has users log in, and should use the backend API > to fulfill user requests. The API supports OAuth2, and the web app is a > single page app, with loads of javascript. > > My concern is how the browser and the web app should talk with the API. > I found two possible ways. > > ## Browser directly uses the API > > When the user enters his credentials to log in, the web app passes them > to the API and is given an OAuth access_token, which is directly passed > to the browser and stored in some cookie. Then every request to the API > is made directly from the browser through JSONP. When the user logs out, > the web app destroys the session. > > ## Browser talks to web app, which talks to the API > > When the user enters his credentials to log in, the web app passes them > to the API and is given an OAuth access_token. A session is created with > the User and the access_token is stored in the session. When the browser > needs to talk to the API, it goes through the web app. The web app uses > the access token in the session, calls the API, and delivers the > response to the browser. > > Both ways have pros and cons with performance and security trade offs. > What do you think? > > Thanks a lot, > danmilon. > > PS: from what I've seen, twitter uses it's public API directly from the > browser, but passes session cookies for authentication. That means their > API also supports cookie sessions? > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
