What does the term "Backchannel Request" means and how to make backchannel requests

Question

To be more specific:

I'm actually trying to integrate to Baseacamp using their new Basecamp api which supports OAuth 2.0. and thx to their poor resources & documentation i'm stuck at #4 of this documentation which says i have to make a backchannel request to get the access token (i have successfully completed 1-3 steps which means i have the verification code and state).

So if anyone have any idea about this beast then pls help me fight this ;)

I have used jso OAuth 2.0 lib which helped me complete 1-3 steps but this lib uses implicit authentication grant and basecamp uses authorization code grant. So i guess i have to do some manual client-server dance which is why i need to know what this Back Channel request means and how to make one?

Answer 1

If you're developing a javascript client application then you're using the wrong OAuth 2 scenario. The scenario used in the linked documentation is called "authorization code grant" and is meant for web application deployed to a remote server. The backchannel is used to obtain the token in the background between the app and the auth server without involving the user, so the token is not exposed even to the user. As embedded clients (javascript, mobile apps, etc) do not have a nicely separated remote environment thus they're vulnerable anyway, there's a simplified "implicit grant" scenario which does not include this backchannel query. You should be using the implicit grant flow.

Based on the documentation you've linked, Basecamp uses a very outdated OAuth2 draft, namely version 5, the specs were released after version 31. In that old version the first scenario is identified by "type=web_server" (changed to "response_type=code" in specs), while you need "type=user_agent" (currently "response_type=token" in specs) to use the implicit grant scenario. I don't know if Basecamp has proper documentation for this, the linked documentation says it's supported, but nothing else.

Answer 2

What Is a Back Channel?

Simply, a back channel is an outbound connection to a server on the Internet, automatically established by client software running a PC behind your firewall. It can also be as innocuous as some small bit of information ("cookies") left on a client desktop in an easily accessible location. The purposes of back channel connections and information gathering cookies are numerous, and can be classified as Useful, Questionable, and Evil.

Answer 3

Ignore "backchannel". It's just a POST request.

In step three, you get your temporary verification code. In step 4, send a POST request with the temporary verification code which gets exchanged for a semi-permanent auth token.

This is the OAuth2 library I use to work with basecamp. The relevant step 4, "backchannel request" takes place in the getOAuthAccessToken function: https://github.com/ciaranj/node-oauth/blob/master/lib/oauth2.js#L153

Answer 4

Front Channel is the Browser (User Agent). The Back Channel is the Authorization Server, e.g. a Server running Linux. The Front Channel is less secure. The Back Channel is much more secure. Because of this configuration, the communication could be subject to CSRF.

To circumvent any nefarious intent, multiple connections are made. The first is where the Authorization Server sends back a Code, in the event that the Grant Type is specified as "Code" by the client. Client can also use a State parameter in the Query String. The Code doesn't actually give permissions, it states what permissions the client will have.

Then the Client makes a request to exchange the Code for an Access Token, which grants access to the resources.

The idea behind these multiple requests is an acknowledgment that the browser (the front channel) can be insecure.

Answer 5

• BackChannel: Secure way, client to a server HTTPS connection, Data Encrypted on traffic, authorization, and no repudiation Compare to a hand delivery package where you yourself take the package and delivery it directly to the destination

• Backchannel implies client to server HTTPS connection no matter from where. The important thing is to use an encrypted connection and certificate validation, but also it is using both HTTP

• Front Channel: No direct link between the Sender and Recipient. Mostly comparable to when you trust a Delivery service to deliver your package.