There’s great deal of confusion when it comes to implementing API authorization using OAuth 2.0 The reasons are varied partly from the different options the specification itself provides and partly due to confusion of implementing it on a Mobile App. This being the case with myself, I thought of writing here on how to approach to make a selection based on your requirements.
A basic point to understand is OAuth 2.0 doesn’t specify Authentication. It is actually an Authorization framework. For keeping this blog to the point, I will not delve into detailing the OAuth specs. For details, there are excellent blog posts from Johann Reinke and Aaron Parecki to understand OAuth 2.
From here I assume you already have an understanding of the different Authorization Grant Types available. With that we have the below authorization mechanism options for Native Mobile Apps and Browser Apps:
- Native Mobile App
- Self Hosted Authorization: Use OAuth2 Password Grant
- External (Facebook/Google+/Twitter) Authorization: Use OAuth2 Implicit Grant
- Combination of Self and External Authorization: Use of Implicit for the External OAuth servers and Password Grand for Self. The backend should be able to identify the user. Best mechanism is to hold a userid for the system and add the Social Network (External) userid to it. This give additional flexibility of adding/removing different Social Network (External) Authorization Grants
- Browser Apps (Both Desktop and Mobile)
- Use Implicit for External.
- For Internal depends if you are implementing the Implicit Grant on the server. If not you can use Password Grant