Angular OAuth client instead of Spring
paboulos opened this issue · comments
I am wondering if you think the Angular OAuth libraries are less secure than the one you showed from Spring which keeps the token on the ui server? I haven't found any mention of vulnerabilities, but it appears that if the client is sent a token over the internet it would be susceptible to man in the middle attacks.
http://stackoverflow.com/questions/18218293/angularjs-oauth
Indeed, but you can't stop sensitive data being needed in secure applications so really you have to use SSL to prevent the MITM. The biggest disadvantage of oauth flows driven by the browser client is just that they require a client authentication to be secure. So it's not really the token you have to worry about (it can be invalidated easily, that's the reason it exists), but the secrets (client and user authentication), and the fact that they have to be in the browser, which itself isn't very secure.