We are trying to retrieve data from our internally hosted services to display using a Freshdesk app.
In order to do this we must make two calls, one to authenticate with our API gateway(Kong) and a second to use the retrieved token to get our data.
I would like to use the Oauth method to make this more secure as currently the access token used for the second call can plainly be seen in the network request.
The issue is, the Oauth method works using an authorization flow, requiring a /authorize endpoint, however our systems use a client credentials flow which does not use a /authorize endpoint, but rather only use a /token endpoint.
Is it possible to use the Oauth method with a client credentials flow or is there another way to make sure that the access token cannot be seen when sending the second request?
Your request is for a 2-legged authorization. It is not supported on our platform. So, it cannot be used with the OAuth configuration of the app.
However, it can be custom implemented yourself in the app with the Custom Installation Page in our platform and storing the token as an Installation Parameter of the app. This installation parameter can be made secret and it will not be visible in the frontend app. But, it can be used in the Request Method to make HTTP requests.
The only constraint with this workaround would be, the token should not require a refresh. Installation Parameters can only be changed by the Freshdesk account admins and they may not aware of token expiration.
@StevenO If you were able to make it work with OAuth on our platform and Request method in the frontend, the token will be visible in the request header as we assume all the OAuth requests are 3-legged OAuth where the token is unique to each user and only for a short time.
If it’s okay from your end to do the authentication by the Freshdesk admin while installing the app and use the same token for all the Freshdesk agents use, there’s a way to do it with OAuth.
In the OAuth configuration, change the token_type to account.
Move the request method to the Serverless component and call this Serverless method from the frontend using the Serverless Method Invocation feature.
In this method, the request will happen from the Serverless function. Thus, the request is not visible in the frontend and no information can be accessed in the frontend apart from the intentional response from the Serverless method.
Validate this workaround and confirm if it work for your requirement.