Connect to 3rd party rest api with oAuth2 security server when using own oauth2 implementing

Question

Im trying to find some best practices on how to solve my problem.

I have a microservice application with oauth2 and firebase for authentication and authorization. Our application needs to connect to a 3rd party rest api which is secured with oauth2 as well.

Is it possible to integrate both implementations or do i need to make my own solution?

One of my co-workers implemented the authorization-code flow needed to access the api and we basicly store access and refresh_tokens in the database to access this 3rd party api. But it doesn't feel right, i cant find any best practices either, can anyone help me out?

Answer 1

What your co-worker implemented is pretty typical: separating out the authentication and authorization for your own application (which you manage with Firebase) from your users authorizing your use of the 3rd party API.

Here are some best practices you should be following when implementing your OAuth flow:

• Use the state parameter to avoid CSRF attacks. Store it in your database and compare the callback state with the one that you randomly generated for the user
• Encrypt access and refresh tokens. Refresh tokens in particular provide long-lived access
• Verify that the scope you asked for is the scope that was returned: some providers allow users to adjust the permissions, which can lead to unexpected errors
• Make sure your refresh tokens don't expire. Check with the provider's docs to see how refresh tokens are deauthorized. Some are time-based, some are based on new refresh tokens being issued, but in any case, make sure your refresh token stays valid, as if it is not, you must get the user to re-authorize your application

You can also use a managed OAuth provider to abstract away all these elements. Xkit , which I work on, integrates with Firebase Authentication so your users can authorize your app, and you can retrieve each user's tokens with one API call.