Best Practice for OAuth Initiation URL

(Galenweber) #1

I am implementing Dwolla’s OAuth flow. The first step is redirecting the user to the initiation URL.

Currently I am doing this on the front end with this code:

var baseUrl = "",
    dwollaID = MY_DWOLLA_ID,
    responseAndRedirect = "&response_type=code&redirect_uri=",
    uri = MY_REDIRECT_URI,
    authScope = "&scope=AccountInfoFull%7CSend%7CFunding%7CScheduled%7CTransactions";

var oAuthUrl= baseUrl + encodeURI(dwollaID + responseAndRedirect + uri) + authScope;

window.location.href = oAuthUrl;

Is this best practice to redirect from the front end? Is there any risk from the fact that I am exposing my Dwolla ID (of course, it would be in the URL)?

When I attempt to redirect from the server, my browser logs this error message:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin is therefore not allowed access. 

The cause behind that message may be beyond the scope for this forum post, but if it is acceptable practice to redirect from the front-end, I won’t worry about it.


(Stephen Ausman) #2

Hey Galen,

That URL looks good to me. Just to be clear: the client_id in the initiation URL is your application’s consumer key found at It is okay to expose this, but your consumer secret should never be exposed.

Generating the initiation URL and redirecting to it from the front end is fine, you’ll just need to exchange the code for a token on the server as it requires your client secret.

(Galenweber) #3

Hi Stephen,

Thanks for the reply. Yes, I would not ever expose the consumer secret. Glad to know that exposing the id is OK.