Hello, i’m getting ready to implement an OAuth2 server for the first time. I’ve been doing a lot of research but there is one thing that i’m stuck on.
The application is a SPA (angular) backed by a REST API. My plan was to use the Resource Owners Credentials grant to log the user in on the SPA side of things. Where i’m stuck is on the need for a proxy between the SPA and the REST API. I understand that the proxy is supposed to obscure the client credentials so that a user can not hijack the client credentials and execute calls against the API posing as the SPA app.
My question is, what does a proxy actually do to prevent this? And what mechanism stops somebody from doing the exact same thing against the proxy, and now they don’t need to know the client credentials?