Skip to main content

We are trying to integrate Custom HTML widget into the staging environment where we are calling an API that gives us the response based upon that we will dynamically load the HTML content. Where the API we are calling is integrated using OAuth Token based authentication which requires fire login API with credentials we get JWT bearer token and expiry as response. Using that token we used to call another API that gives the response to load into the HTML widget.

 

Here we found that the AUTH credentials are kept open in the client side JavaScript content which is a problem for us.

 

  1. Is there a way to protect/secure the credentials that is kept in client side in JavaScript code?
  2. Is there a way which we have for communicating with OAuth with External applications to load HTML widgets / embeddable widgets in secure manner ?
  3. Is there any short codes available in inSided community. Like in HTML widgets if we use “<% inSidedData.user.name %>” which is replaced by the user name.

Hi @nandhakumar.m ,

That sounds seriously insecure to me, and I’d be concerned about potential hacking risks from something like that. And this is me speaking as a cybersecurity professional. It would be absolutely trivial for me to extract such credentials and then abuse them as I see fit. I hope you don’t mind me being honest and transparent with you now, rather than leaving you to find out the hard way later!

What was it you were trying to do? Someone here might have a better solution for you. :)


To expand on @Blastoise186‘s excellent answer:

  1. no, this is impossible to do securely
  2. not at the moment, though I can see value here, would have to be raised as an idea
  3. following the implementation of 2, that would make sense :)

Like @Blastoise186 said: what are you trying to achieve? There might be better ways :) 


Thanks for your response @Blastoise186 @bas 

@bas I’m just trying to use a HTML widget where I’m using a fetch call to load the data into the widget. That fetch API call is integrated with OAuth token based. Is there any work around for me?


The HTML widget is 100% front-end and will not be able to do any authentication I’m afraid.
If the API was open, you’d be able to fetch what you need, but since you cannot (as in: really should not) store credentials in the HTML widget, I don’t see a way of authenticating.
Perhaps putting a proxy somewhere that (periodically) fetches the API results and lists it publicly could work.

What you’re effectively trying to do is to open up information that is shielded off.


Reply