Using OAuth2 in HTML5 Web App

Question

I am currently experimenting with OAuth2 to develop a mobile application built entirely in JavaScript that talks to a CakePHP API. Take a look at the following code to see h

Answer 1

The only way to be fully secure is to not store the access tokens client side. Anyone with (physical)access to your browser could obtain your token.

1) Your assessment of neither being a great solution is accurate.

2) Using expiration times would be your best if you are limited to only client side development. It wouldn't require your users to re-authenticate with Oauth as frequently, and guarantee that the token wouldn't live forever. Still not the most secure.

3) Getting a new token would require performing the Oauth workflow to obtain a fresh token. The client_id is tied to a specific domain for Oauth to function.

The most secure method for retaining Oauth tokens would be a server side implementation.