2

I'm pretty new to OAuth and API security.

I'm building a REST API that will be accessed by my own mobile application.

I want to expose API to other developers via OAuth authorization and authentication and I'll be using my own OAuth provider.

What is the authentication strategy for my own mobile app ? After all, I don't need user to authorize my app. Can I use OAuth for authentication while having my own mobile application pre-authorized by default ?

Can I authenticate users of my mobile app with OAuth or do I need something like OpenID?

Artem Oboturov
  • 4,344
  • 2
  • 30
  • 48
Gal Ben-Haim
  • 17,433
  • 22
  • 78
  • 131

2 Answers2

0

I don't think you want oauth if you are looking to step over the user authorization step. If you are determined to use oauth, however, you could mask the authorization step as a login dialog or give your application an access token. User authorization is a rather big part of oauth's functionality, so ignoring it probably means you should use some other interface to access your users' information.

Nielsvh
  • 1,151
  • 1
  • 18
  • 31
  • ofcourse that users will have a login dialog. should I use a different authentication method for my own apps and oauth for 3rd party apps ? what authentication methods are best suitable for this ? – Gal Ben-Haim Jun 06 '12 at 06:10
0

Accessing my own oauth REST API - OAuth is NOTHING to deal with REST apriori: OAuth - is Authorization protocol, REST - an architecture style.

For OAuth - use version 2.0 - it's 2012 already.

What is the authentication strategy for my own mobile app? - for mobile app on Android, for example, you could use could get user's account with which one registered his phone within GooglePlay store/GMAIL (and then generate one-time password from on your server side). If one wouldn't provide them to your app - make an explicit authentication.

Nowdays probably only calculator doesn't use explicit authentication - so why should you differ? You can link you Authentication to FB or Google or any other OAuth provider - what does make you to create your proper OAuth provider?

You can Authenticate users with both OAuth and OpenID.

Artem Oboturov
  • 4,344
  • 2
  • 30
  • 48
  • so something like api key for my mobile app and OAUTH for 3rd party API access ? – Gal Ben-Haim Jun 06 '12 at 17:50
  • For Android you have Internal Storage: `You can save files directly on the device's internal storage. By default, files saved to the internal storage are private to your application and other applications cannot access them (nor can the user). When the user uninstalls your application, these files are removed.` The same for iOS. I you think that system default methods gives you enough protection - use them. If not make it authentication completely via OAuth - but user-friendly. – Artem Oboturov Jun 06 '12 at 19:27
  • currently I'm using api keys which are passed within the HTTP request headers. the user logs in with his username/password, the server validates it and returns an api key which identifies that specific user. I'm looking into the standard way of doing this (keeping in mind that I'll have OAUTH in the future for 3rd party apps) – Gal Ben-Haim Jun 06 '12 at 20:12
  • I don't think you can find on single ideal way to do it. Many people ask this question [http://stackoverflow.com/questions/5340252/how-can-i-design-a-secure-api-authentication-for-mobile-apps-to-access-a-service](http://stackoverflow.com/questions/5340252/how-can-i-design-a-secure-api-authentication-for-mobile-apps-to-access-a-service). – Artem Oboturov Jun 06 '12 at 20:36
  • so from what I understand I'm looking into 2-legged authentication, is OAUTH suitable for that ? – Gal Ben-Haim Jun 07 '12 at 06:18