1

Here is what I'm trying to do:

I have server that serves data using a REST API, but I want only my mobile clients(an APP) to access this.

I would like to use a similar system where a user can create a Email/Password log in. After that, the user can access certain data using the API.

Is OAuth2 the right thing to use?

Or do I just try to create my own protocol and generate a token for the user. And have the user attach a token on all API requests. (This is where I'm confused. Can I use OAuth for that? or is that even needed? If not is there a standard HTTP way to do this? Also I would like to use refresh tokens, but I'm not sure If i should create my own methods.

Opal
  • 81,889
  • 28
  • 189
  • 210
mskw
  • 10,063
  • 9
  • 42
  • 64

3 Answers3

1

OAuth2 would probably be the best and most widely used solution. I'd go with that.

Implementing your own authentication/authorization protocols almost always ends in disaster, unless you have a very deep understanding in cryptography and the underlying protocols.

Ole Riesenberg
  • 156
  • 4
  • I've looked at OAuth, I thought it is used to use a 3rd party (Facebook) and have them authenticate the user. In my case, I don't have any 3rd party authenticator. Do i do some kind of loop back and pretend I'm a 3rd party and issue authentication that way? Or is that how everyone does it? – mskw Dec 29 '15 at 14:45
  • Your API acts as the OAuth2 server. The server grants an access token after the users email/password credentials have been verified. You can see a visualization of the flow here: http://oauthlib.readthedocs.org/en/latest/oauth2/grants/password.html – Ole Riesenberg Dec 29 '15 at 21:14
0

Mind the fact that OAuth is not an authentication protocol - which seems is what you need - but a authorization protocol. You server is a client that requests the resources that OAuth provider has - is that what you need? I guess no.

What you rather need is an authentication protocol - which typically works by sending some token with every request - and mentioned by @Julian passport.js seems to be doing the job you need.

Basically stay away from implementing custom solutions. You really need a wide knowledge to implement reliable and secure authentication scheme.

JSON web token might be the way to go as well.

Opal
  • 81,889
  • 28
  • 189
  • 210
  • I thought OAuth still do authentication by having user enter their username/password at the authentication server, the authentication server then grants access to the user and the resource server. The resource server then gives authorization to the user. Using a token. What I'm confused about is is there a strict set of calls/protocols/http header to make in order to be OAuth compliant? – mskw Dec 29 '15 at 14:43
  • @mskw, I'm against using OAuth for securing REST API, because that's not for what OAuth was invented. But it doesn't mean it can't be used, the scenario you provided in a comment is perfectly valid. Yes, there's is a strict set, OAuth is standarized. – Opal Dec 30 '15 at 11:48
0

If client applications are developed only by you, you don't need OAuth. OAuth is needed only when you want to allow third-party client applications to access (your service's) users' data with restricted privileges.

Related questions:

  1. Understanding the need of client id, client secret in oauth 2.0
  2. How to verify which resources each user can access with OAuth and OpenID Connect?
  3. OAuth 2.0 Authorization Server and Access Tokens

However, if there is a possibility that you may want to allow third-party client applications to access your system in the future, it may be wise to implement Resource Owner Password Credentials Grant, which is one of OAuth 2.0 flows, from the beginning for the future extensibility.

Community
  • 1
  • 1
Takahiko Kawasaki
  • 18,118
  • 9
  • 62
  • 105
  • I wanted to use a standard way to secure my API, so I thought the way OAuth issued tokens were the way to go. How does other apps do it typically if only my app is trying to access my API? – mskw Jan 01 '16 at 06:30