Authentication method

topoos implements the OAuth 2.0 protocol as authentication method to facilitate user authentication, user authorization and app authorization.

To secure this process in any architecture in which an application is deployed, topoos provides many communication flows described in the user login guide.

Below are decribed the app security implications of using each flow.

In all cases, the recommended option at any level, is to use Server-Side flow with temporary Access Token. The temporal Token is always the safest way to access the platform, because if a malicious application or user gets the token, it has limited time to exploit its use.

The use of Server-Side flow allows app to generate a new valid access token without user intervention, being comfortable both user and developer, as it has a valid token whenever needed.

This is achieved thanks to the existence of your own secured web server, where you must develop and deploy this authentication step, because a secured web server is capable of storing your app credentials.

The problem is precisely that you need a web app or web service for enable this communication flow. If you haven’t or if the app is a native mobile app, it will require Client-Side flow usage.

Client-Side flow is the authentication method when the application is running in an unsecured environment, such as a JavaScript application or a mobile application where users download all the code that the device must be running, and therefore could access the application code.

When you are using the Client-Side flow is also recommended to use a temporary access token for the same reason that in the Server-Side.

Unfortunately, because ¬†we can’t trust in device as safe environment, we can not store secret information (like CLIENT_SECRET or Refresh Token) that we need to refresh the access token when it expires, so the user will have to interact with the app to obtain a new valid token when the temporary Access Token expires.

If the application, for some reason, can not afford the token expires, you must use a non-expiring Token (requesting the necessary scope in the authorization process), but this method is not recommended for security issues involved in storing Access Token in a unsafe environment, and it should be avoided whenever possible.

About enabling or disabling Client-Side flow

If your app use Client-Side flow, it is recommended to pre-configure your own Authentication Redirect URI domain in app configuration in Developers Panel. If you haven’t your own web app or web service hosted as described above, you must use OAUTH_DUMMY_PAGE, but this is not recommended because any app that gets your CLIENT_ID may supplant your app.

If your app doesn’t use Client-Side flow, its recommended to disable the IMPLICIT FLOW in the Developers Panel (in app Advanced Configuration) to avoid this exploit.