Dear GFS developers,
We would like to clarify the authentication process.
From documentation (Security):
> This authentication step is a server to server call that should be made from your webserver to GFS' identity server (link)
Is it really necessary to make a server to server call to obtain a token for a widget? It looks like it is used only by the widget on the client side. It would be an uncommon practice to use our server for obtaining a token, and then the widget will use it to work with your server. There is no difference in security as long as we expose the token for a client.
Do you have any special reasons for not revealing Client ID and Client Secret to the client (JS code)? Do we have to put additional restrictions on token acquitting process?
Software Engineer (EPAM System)
We develop the integration on behalf of The Perfume Shop