Skip to main content
Question

Web app OAuth

  • May 22, 2025
  • 3 replies
  • 12 views
C
Forum|alt.badge.img

Hi, I'm developing an app with Box integration. The app has only the client part, with no server. I'm not sure which authorization flow should I use, as the Box has only the `code` OAuth flow. 

the first concern I have is exposing the 'client secret' code  - I need to store is somewhere in a config file. Then there is refreshing the access token - with Box OAuth there is only the refresh token which I assuming is not the right choice for the web app either. 

Could you please advice how to achieve safe authorization, ideally with some kind of "silent" refreshing of the access token?

    3 replies

    C
    Forum|alt.badge.img

    Hey , 

     

    Could you please share some more information about your use case of your application so I can provide the best possible suggestion on which authentication method to use? 

     

    Best, 

    Kourtney 

    C
    Forum|alt.badge.img

    hi, 

    our app should be capable of reading / writing files to various services - GDrive, Box, Dropbox etc through the OAuth2 authorization flow.

    We have no backend available, so we can't store securely refresh tokens, nor the client secret Id's. For example, for the GDrive we are using scenario described here https://developers.google.com/identity/protocols/OAuth2UserAgent. It performs the OAuth2 implicit grant flow. 

    I'd like to know how to securely perform the OAuth2 authorization to BOX api with no backend (without the client secret Id). Or, is it ok to store the client secret on the client side? 

     

    C
    Forum|alt.badge.img

    Hi  , did you every find out if it was possible to achieve this?

    Terms of ServiceAccessibility statement