Application-only OAuth for SPAs


#1

Hello - How do we accomplish Application-only for Single Page Applications? Per the article on this, the id/secret/token are all considered ‘passwords’ that should be secured. In that regard, plugging them into a Single Page Application would expose them through the browser Java Script. Is there a best practice on this? Is it “okay” to put the id/secret into an SPA? How would this be accomplished otherwise?

Thanks in advance.

https://dev.twitter.com/oauth/application-only


#2

This is generally handled by having a server you manage that holds the secrets. Your SPA makes requests to your server which then makes the requests to the Twitter API and returns the results to your SPA.


#3

Yeah, figured…was hoping for a way around that, but makes sense. Thanks.