Trying to consider the best approach

• Modal, with an iFrame
  • Use iFrame messaging to communicate with the parent application (So solution)
    • Concern: I don't think it's easy to tell which iframe posted the message. So, theorhetically, another user of the same API host, could post a message with their OAuth token instead. And the user would be storing notes under their account.
• Redirect to the login site, then back
  • I think I'd need to used a Header as part of the redirect back to Note'd, after a successful login. The header would include the Auth token.
  • Would need a way to safely grab the token, w/o other JavaScript getting access.
  • OH! Maybe Note'd will give a token to the API Host, and the API host will associate the generated token, with this Note'd token.
    • Then later, after successful login, and the Note'd App is back, Note'd will request from that site, the Auth token, whilst providing the previously shared token.
    • Then, the API Host, familiar with the pre-shared token, will respond with the Auth token.

Best solution, is probably to see how other people do it.

References

1. https://security.stackexchange.com/questions/180357/store-auth-token-in-cookie-or-header
2. https://www.cloudways.com/blog/symfony-api-token-authentication/
3. http://www.redotheweb.com/2015/11/09/api-security.html
4. https://stackoverflow.com/questions/43051186/is-it-good-practice-to-use-an-iframe-to-login-with-oauth2-and-openid

1. A request is made to have a new note generated
2. A new entity is created, incorporating a newly generated UUID
3. The success-response should include the UUID, so the Client can incorporate the UUID on subsequent requests.

Related issue: shmolf/noted#23