I am building a multi-tenant SaaS application that allow each tenant to setup an API integration with an external application (actually, a bunch of them). Most of these external application use oAuth2.0 to authenticate APIs, so they need an header such as "Authentication: Bearer ".
I am using the API connector, but i cannot leverage the native oAuth2 support, because I need each tenant to be able to enter their api client id / secret to authenticate. So I have no choice but to use a self handled authentication where I setup a dedicated API call to get/refresh access tokens periodically (with scheduled server side actions) and save it on DB, and then call the other API by setting the value of the Authentication header in workflow actions.
I can potentially encode/decode the access token store in the DB for added security. Also, I am calling most of the APIs from backend workflows.
But I have some DATA APIs that I need to call form the client to populate dropdowns dynamically. In this case I am basically pulling an access token inside a client side workflow action, so it is visible to the client side (although there are privacy rules that makes it visible only to the current user).
I am starting to have security concerns.
I am ok with the fact that the user of the account could, with some hacking, see these tokens client side, as long and nobody else could see them.
Is there any better way to do this? any recommendations?
Is building a plugin with Server Side Action calling such APIs more secure in any way? (I do not know anything about plugins and coding in node)