I have an frontend application (currently retool, in future react) where I want to have the Oauth2 flow.
The API request I want to do in backend. What's the best practice for this use case?
The google client in python needs a credential object which can be instantiated e.g. like this:
credentials = Credentials(
token=token,
refresh_token=refresh_token,
token_uri="https://www.googleapis.com/oauth2/v3/token",
client_id=client_id,
client_secret=client_secret,
)
Is it good practice to send token and refresh_token from frontend to backend in order to do the subsequent API calls in backend?
In theory, no. However, the core of the question "can I store my credentials here and send it there" lies in whether "here" is a public client or a confidential one.
Security experts would tell you "never trust the internet", so programs downloaded from internet is always a public client. But if your frontend is well protected inside your internal network (usually your company) and downloaded to your browser using secure protocol (namingly HTTPS) or even can only be accessed within the internal network, it is not "internet".
That being said, the best practice is still to store credentials on a backend. The BFF (Backend For Frontend) pattern could be leveraged to achieve this, see:
https://curity.io/resources/learn/the-token-handler-pattern/
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-backend-for-frontend-bff-pr
https://datatracker.ietf.org/doc/html/draft-bertocci-oauth2-tmi-bff-01