I write a rest api with yii2 and i am using oAuth2 , the problem is when user want login , client web application should send request to get token , request should contain client_id and secret_key and username and password in this case user can simply inspect element and click to network and see posted parameter to the server this means user can see client_id and secret_key. client_id and secret_key are signature for each application and server can find out witch application use api. how to handle this security issue?
1
There are 1 best solutions below
Related Questions in OAUTH-2.0
- Not getting refresh token with google oauth2
- SoundCloud Authentication Consistently Returns 401 invalid_grant For Some Users
- How can I share Azure Active Directory authentication between server side and client script?
- OAuth2 and API Json request not working with jQuery Call
- Flask-Restful, oauth, and Salesforce
- Bearer token in MVC controller to access Web API
- Revoking OAuth tokens in Mule
- how to signup user using google-plus integradation in web?
- Need to run getAuthToken twice before receiving access token, why?
- chrome.identity.getAuthToken and refresh token?
- dropbox api authentication (Error: [400] 'invalid_client')
- Retrieve Google Sites's Domain Index feed using OAuth 2.0 with Service Account
- hello.js: Is it possible to set the provider's settings dynamically?
- How to share developer account at LinkedIn
- Linkedin Unsupported POST target
Related Questions in OAUTH2CLIENT
- hello.js: Is it possible to set the provider's settings dynamically?
- How to authorize a Python Google API client service given an OAuth2 access_token?
- Python 2.7.11 httplib2 throws CERTIFICATE_VERIFY_FAILED for the wrong certificate for SSL SNI website
- Access google analytics data with Django
- EOF error with Google oauth2client (Python, google-app-engine)
- User Registration & Login | SSO using Spring Security OAuth 2.0
- OAUTH2: Storage('filename.data') doesn't create file (gspread, python)
- Offline refresh token using Google APIs
- Gmail auth token expires within an hour
- Please confirm: SignedJwtAssertionCredentials only works with SpreadsheetsClient, not SpreadsheetsService?
- Django 1.7 google oauth2 token validation failure
- How to set access grant for oauth2_client?
- Current Google Login Authorized redirect URIs how to fill exactly correct
- Implement OIDC authorization code grant flow for AngularJS SPA
- SOLVED: Keycloak + Spring Security OIDC Backchannel Logout: Unable to Trigger Redirect UI to Keycloak Login After SSO Session Max/ Idle
Related Questions in YII2-API
- Custom action in Action with id in Rest ActiveController Yii2
- How to return data in descending order in YII2 ActiveController?
- Yii2 RESTful: Content Negotiation languages not work
- How to serve index.php from different directory through .htaccess?
- Fetch users data with related clients data in Yiii2 api
- Yii2 Api - Using Oauth to authenticate user and website?
- Override response of Rest authentication(HttpBearerAuth) in yii2
- Unable to pass post variables in http request from Electron to Yii API
- What is the best approach to implement multi language app using angular and yii2
- Yii2 : Rest API return xml instead of json
- Yii2-Api: How to pass Token for the HttpBearer Filter
- Yii2 - API Rest - ActiveDataProvider
- yii2 rest - using PUT to update data
- Creating migration history table "migration" Syntex error
- Get all attributes of extraFields in Yii2
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
It seems you have missed out one key element of OAuth 2.0, client type.
OAuth 2.0 defines two types of clients, public clients and confidentiatl clients.
2.1. Client Types
confidential
public
In your case, you seems to have a public client (user agent based application in broswer as it seems). In such case, you should set your client type to a public client. If this is not the case, you are not utilizing a proper back channel call from your web application.
Additionally, public clients which use authorization code flow can use PKCE to avoid authorization code theft attacks. Related RFC can be found from RFC7636