'Why do we need to use the front-channel for an OAuth authorization request?

I've been struggling with this and would love to see if any OAuth experts here have an answer.

For context, I'm trying to integrate OAuth into an existing first-party (internal) front-end client that lives on a subdomain. It's a single-page application. I have an authorization server that has an /oauth2/authorize and oauth2/token endpoint and I'm working with the OAuth 2 with PKCE authorization flow.

In all the examples I've seen externally, it seems like the recommendation is to make a top-level redirect to the authorization URL initial login . And for silently re-authenticating a user (if they were already logged in), using an invisible iFrame set to the authorization URL (and postMessaging the code back to the parent window).

I'm trying to understand what prevents me from making a front-channel request to my /authorize endpoint via Javascript. Something simple like...

const { state, code } = await fetch(authorizationUrl)

For the login case, I can handle a 403 error back from the AS and then redirect them to login from the client-side. For the re-authenticating case (i.e. client has an expired refresh token but is still logged in), this is great because I just get a 200 response and the code back directly in the JSON body and I can use it immediately. There is no top-level redirect, no hassle of saving app state, etc.

It seems like as long as the AS is willing to return the { state, code } via JSON, this should work. This means that

  1. The AS authorize endpoint must be configured to allow CORS on select origins. This seems okay in a first-party context since I know which origins I should allow.
  2. The AS must be sent client credentials (session cookies) with the request (otherwise the AS would have no idea how to determine if the user is logged in). In JS, this would be as simple as adding credentials: true. As long as the cookie credentials have Same-Site: None and the cookie is part of the same domain (cross-domain would not work since some browsers disable cross-site cookie sharing nowadays!)

I feel like I'm missing something crucial here. But at the same time, my prototype is working, so I'd love to get some input from experienced folks here.

authenticationoauth-2.0oauthauthorizationsingle-page-application


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

enable Apache http Authorization header

Blazor @attribute [Authorize] tag is not working

Prevent database access outside the application

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Authorization in ASP.NET Core. Always 401 Unauthorized for [Authorize] attribute

Sonarqube authorization - how to authorize with sonar-maven-plugin when sonar.forceAuthentication is enabled

How to set token in authorization header in flutter Dio post request

Subscription-scope authorization for Azure Resource Manager API user

Does an OAuth Consumer validate a bearer token with the OAuth provider on each request

Https twice on my redirect_uri shopify when trying to authorize my application

Is there a way to Redirect in AuthorizationHandler in .Net 5?

Set default header for every fetch() request

ahrefs.com authorization using python requests

nestjs return undefined in Public Guards

ASP.NET 5 Authorize against two or more policies (OR-combined policy)