I’m exploring whether it’s reliable to use external events to return data and wanted to get your thoughts.
My case:
I need to pass the OAuth token to a modal for authentication purposes. Unfortunately, I can’t directly fetch the OAuth token in the code, as it’s only available for use in requests.
To work around this, I considered using middleware to extract the token from the header and pass it back to the app, embedding it in the modal. I tested this approach by utilizing an external app to retrieve the token from the header and return it via the RenderData method.
My question:
Is this approach reliable, or are there better alternatives I should consider?
The OAuth access token is supposed to be used in the request headers. So, our platform allows only using it part of the Request Method headers and it’s not available anywhere else.
If the token is sent to an external application through request header and returned to the app to access as a plain text, it will breach the security that OAuth provides for the authentication and authorisation.
Since you meant to use it in the frontend app, the return OAuth access token will be visible to agent as a plain text in the browser developer tools and it’s the key to the third-party application being integrated with OAuth. If the key is not of the particular agent and they have access to it, it’ll not provide the intended security of our platform and the respective third-party application.
So, please consider if there are any other authentication mechanism available to implement the same modal.
OAuth on our platform provides agent-based auth. But, again, the access token can only be used in the Request method headers. Not in a modal in the frontend app.
Thank you for the reply. Yeah, I get the security concern.
Yet, is there a way to return the data via the external event?
When I use the returnData method inside the external the JSON I passed inside the returnData is not returned as a response to the calling function.
Since it works as expected in the local environment, I wanted to check is this the intended behavior?