-
I am investigating adopting OAuth2 and the Ory stack in our system. I have recently learned through this article about a method to secure SPAs authenticated via OAuth2 such that the SPA has no visibility into the access/refresh tokens thanks to a backend proxy. This proxy is responsible for converting opaque secure session cookies on the incoming request into OAuth2 access tokens. As far as I can see, the Ory id_token mutator makes it possible to turn an existing cookie into an OIDC token, but it seems like it is not capable of issuing these cookies based on an Authenticator's response. Is that accurate? Does Ory offer any tooling that would assist in accomplishing the root goal here; facilitating OAuth2 with SPAs without exposing the access token to the SPA, either via Cookies or JS? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
I think Ory Kratos would be the project that handles this? I am not sure but from the article you posted it seems exactly what Ory Kratos does: exchange the OIDC token for a session cookie that is issued to the SPA. If you are just look at first-party scenarios, are you sure you need OAuth2? |
Beta Was this translation helpful? Give feedback.
I think Ory Kratos would be the project that handles this? I am not sure but from the article you posted it seems exactly what Ory Kratos does: exchange the OIDC token for a session cookie that is issued to the SPA.
If you are just look at first-party scenarios, are you sure you need OAuth2?