REST API authentication for web app and mobile app

Question

I\'m having some trouble deciding how to implement authentication for a RESTful API that will be secure for consumption by both a web app and a mobile app.

Firstly,

Answer 1

You should use OAuth2. Here is how:

1) Mobile App

The mobile app store client credentials as you state yourself. It then uses "Resource Owner Password Credentials Grant" (see http://tools.ietf.org/html/rfc6749#section-4.3) to send those credentials. In turn it gets a (bearer) token it can use in the following requests.

2) Web site

The website uses "Authorization Code Grant" (see http://tools.ietf.org/html/rfc6749#section-4.1):

1. Website sees unauthorized request and redirects browser to HTML-enabled autorization endpoint in the REST api.

2. User authenticates with REST service

3. REST site redirects user back to website with access token in URL.

4. Website calls REST site and swaps access token to authorization token.

Here after the website uses the authorization token for accessing the REST service (on behalf of the end-user) - usually by including the token as a "bearer" token in the HTTP Authorization header.

It is not rocket science but it does take some time to understand completely.

3) Restricting API access for certain applications

In OAuth2 each client is issued a client ID and client secret (here "client" is your mobile app or website). The client must send these credentials when authorizing. Your REST service can use this to validate the calling client