HI All,
I need to expose a public API having a user context and therefore has Implicit and Auth_Code grant type implemented in the API.
As per OAuth security recommendations Single Page Apps should use Implicit grant type while Native/web apps can use Auth Code.
My questions is how can I ensure that Developers who are developing single page app use Implicit grant type whereas other developers use Auth Code grant type.
Regards,
Vivek
Hi @vivek yadav,
I will recommend to create a single endpoint to support both grant types. It is really upto the app developers to choose the convenient grant type. Also i think you meant APIs being called from a browser or mobile app type user-agent or being called from a backend. You can try to check to verify the user-agent header parameter value as it will change based on calling user agent, but it will introduce some complexity in your proxy.
User | Count |
---|---|
7 | |
2 | |
2 | |
1 | |
1 |