Oauth 2.0 token based authentication


nope jsonp can only “fake” get requests

start your chrome with the --disabled-web-security flag

or use chrome plugins like


Hello bengtler ,

this is what I have for now in the Login Controller . I’m still getting unauthorized 401 error. Am I doing everything correct ?

.controller('LoginController', function($scope, $http, $location) {
    $http.defaults.headers.post['Content-Type'] = 'application/x-www-form-urlencoded';
    $scope.login = function() {
                $http.post(OAuthUrl, {
                  'client_id': clientId,
                  'client_secret': clientSecret,
                  'grant_type': password,
                  'username': username.trim(),
                  'password': password.trim(),
                  withCredentials: true,
                  headers: {
                    'Content-Type': 'application/json; charset=utf-8'
                   .success(function(data) {
                         accessToken = data.access_token;
                    .error(function(data, status) {
                        alert("ERROR: " + data);


maybe your credentials are wrong?


no, I’m hardcoding the credentials for a test user. I crosschecked those things, it’s not wrong.


okay but if it is your api … you should check how you have to set headers and so on.



Where should I be using the Authorization : Access Token signature ?


you can set this as a header

headers: {
  'Content-Type': 'application/json; charset=utf-8',
  'Authorization': 'XXXXXXX XXXXX'


Trust me and try with get method.
Set this in your app.js in config function:

$httpProvider.defaults.useXDomain = true;
delete $httpProvider.defaults.headers.common['X-Requested-With'];

Delete withCredentials option and delete your content type header too.


Some resources:


i suggest you to implement it using interceptors and ui router events rather than simply use controllers because interceptors and ui router events let you catch an unauthorized http status or bad request in whole app in case of refresh token is expired.


@ebreo I have updated my code and added an interceptor. It is working but let me know if you have answer to my question of how to send my clientID and secret to the server.


@bengtler thanks for the follow up . I have updated my code and added an interceptor. It is working but let me know how to send my clientID and secret to the server.


yeah how i said… it depends how the API-works you are using… if it needs this parameters as query parameter or in the request body… or if the API needs them in the request header.


And: http://robferguson.org/2015/07/27/authentication-for-ionic-apps/


send it via query string


Could you help me to solve this problem?

Thanks before


Hi everyone, i know that this is a old topic, but i was working with some similar issue, but the the real problem is that implement the request for token with client_id and secret_id credentials from angular (or other client side method) is a bad practice. This exposing the app’s oauth credentials and will available from local source (browser console and JS source).

Then the best practice is make that request in server side and implement basic authentication form in your angular app (of course provide a SSL certificate for user send their data is safe way).

On server side depend of your favorite language (PHP, Python, Perl, Ruby, …) and response the token to the angular app with other data that you required.

The basic flow is:

  • Angular app send user credentials to server “username and password” (Post Method over HTTPS)
  • Server app get the user credentials and OAuth credentials of your app (ex. twitter app) that are stored in a safe place (not public)
  • Server app request the token to the authentication system (OAuth provider) and get de Token data.
  • Server Response to Angular app the user token.
  • Angular app save the token on localStorage, cookies and use it in Headers request.

Other aspect to consider is that OAuth provider response with a refresh_token, that will be use for renovate a token that is expiring. You should implement a safe method to store that token and use it to refresh the user token.

Is someone need a full example working code, please write me and i will provide the source.


Please provide the source as that would help all of us. I am trying to implement oauth on ionic2.


Alright this case works, how would a refresh token work, what if a user logs into the application after 3 days and both token and refresh tokens are expired by that, they would want to login again? This never happens to Facebook or Twitter apps so i wonder how they manage refreshing tokens.


@aryan7 Can u please share ur correct code with interceptor …