0

I'm creating an application and I will have both a client, who posts ad's and users who view and accept adds. The clients will loginto the main Web server site to post the add and the users will log into (get authorized) to view the mobile site.

Where I'm stuck is with oauth2 authorization... I have set up the server, used curl to get an authorization code, however, can someone please clarify something for me?

Are my clients and users stored in the same database table? Am I supposed to store each person who wants to view the api into Users, or do I create a new model for Users/Whatever?

Do I even need oauth2 in this scenario because a lot of tutorials on this are about a 3rd party application getting authorization to like google for instance. Whereas my mobile application and web server are both part of the same company or site.

Denis
  • 570
  • 9
  • 23

1 Answers1

0

I hope I understand your question correctly. Your first question regards database design, and in your second, you are looking for some understanding of use cases for oauth.

Let's talk about your first question, whose answer is a bit less concrete. This is a design decision and is somewhat subjective, but will have a better or worse solution based upon your requirements. You have to decide if the information you need to store about users vs. clients is substantially different. If it is, different tables will be your better design solution. If the only thing you need to know about clients vs. users is that they have a different kind of access, it is probable that all you need is an additional column in your table that will indicate the logged in person's type of access, whether it is client or user. In this case, a single table will be your better design solution.

The second question is also a great question and a source of much heartache for many developers, as oauth's purpose is often poorly understood and once you do get into using it, not all that simple to implement. Oauth can be thought of as a secure handshake between a client and a server. The client, in this case, is you, but the server is also you, which, in short means that you don't need oauth. If you would like to create a backend that can serve up data to other developers' client apps, then you might want to implement oauth, but even then you would only want to use it if you required authorization security from the server. It's a bit confusing at first, and I could go on, but here's an article that explains it very well, written by people who have implemented apps using oauth. If you still think you need oauth (if you're planning on your code being used by other developers as an API), you have your work cut out for you. Otherwise, don't worry about oauth for now!

Anna B Nana
  • 39
  • 1
  • 5
  • 1
    Oh wow, thank you so much. I had a feeling I was going to far. So then is the basic django authorization enough security to let Users and Clients access my web server api from my mobile application? And as for database, how do I add an additional column to the User's table that was created when I created the django application? Or is that user section for "Admin" users and I need to create my own table for Users/Clients? – Denis Dec 01 '16 at 17:29
  • You can, by all means, extend the existing User model. I would recommend the first method in the docs, shown [here](https://docs.djangoproject.com/en/1.10/topics/auth/customizing/#extending-the-existing-user-model), just because it's the easiest to understand and implement. See [this](http://stackoverflow.com/questions/44109/extending-the-user-model-with-custom-fields-in-django) SO answer. – Anna B Nana Dec 01 '16 at 18:22