I have a REST API that needs to allow CORS for multiple apps, and a single page webapp that should use this API. The API should not be completely open though.
Now, I have looked at different schemes for authentication, and Oauth2 seems like what the "big guys" are using.
The solution I am thinking about implementing is something like this:
The JS webapp makes a request to a local, server side, proxy, which holds the Oauth credentials and obtains a token for the JS webapp to use to communicate directly with the REST API from that point out.
Does this sound viable? I am thinking I just moved the problem, since I now need to validate the webapps token request to the local proxy instead? :)
I am also thinking that this problem must have been solved many times before already :)