0

I'm a total novice in web development.

I'm making an android app for someone's wordpress site. They have a mysql database containing private user data which which I need to retrieve in the app when a user is signed in.

I wrote a tiny, insufficient api in php that fetches private data for a user and returns it given a user ID, obviously this isn't good enough, but this is pretty much where I'm stuck.

I need to ensure that only the currently logged in user can access their own data. I've tried to go down the oauth2 route using the WP OAuth Server plugin. I get how oAuth2 works at a high level, but actually integrating it is giving me a lot of questions like:

  • How would the user be authenticated before they're given an authorisation code?
  • If the authorisation step is just checking that the user is logged in, then anyone could access this user's data as long as they're logged in on some device, which doesn't sound good.
  • Once I have the access token how is that validated when I call the API that retrieves the user's data

So basically, my questions: Is oAuth2 the best option for achieving this? If yes, then I want to ask the 3 questions above. If no, what is?

Hayden Gorringe
  • 1
  • `How would the user be authenticated before they're given an authorisation code`...they send a username and password, which, if valid, is exchanged for a token – ADyson Jun 08 '22 at 07:15
  • `the authorisation step is just checking that the user is logged in, then anyone could access this user's data as long as they're logged in on some device`...it depends if your code checks _which_ user is making the request, as opposed to just _any_ logged-in user. That's down to you to code -OAuth just verifies the user is valid, not what precisely they can do – ADyson Jun 08 '22 at 07:17
  • `Once I have the access token how is that validated when I call the API that retrieves the user's data`...depends precisely on the implementation but basically the API code needs to check the token every time with the identity provider – ADyson Jun 08 '22 at 07:17
  • @ADyson Ok, so if I’m going to send the user name and password for authentication in exchange for a token, couldn’t I simplify it and include an encrypted username and password in every direct api call to the resource server, do the authentication there and then process the resource request immediately? – Hayden Gorringe Jun 08 '22 at 17:00
  • Well you could, but there are reasons why people started using token based authentication instead of your approach. Some reading: https://stackoverflow.com/questions/1592534/what-is-token-based-authentication, snd https://www.fortinet.com/resources/cyberglossary/authentication-token - specifically the "why" section further down, and https://www.loginradius.com/blog/identity/pros-cons-token-authentication/ – ADyson Jun 08 '22 at 17:42

0 Answers0