REST - How to restrict access for not authorized client software

Question

here is the challenge:

The service-/business layer has a REST (JSON) interface. There are two kinds of clients which can call the API: The webapp, which is running in a

Answer 1

Web-servers typically support the concept of a "session". When a Web browser connects, a session is created on the server which returns a session ID (as a HTTP cookie usually). The web browser then sends that session ID cookie to all subsequent requests to the server.

Using this mechanism, a lot of programming languages / framework have an authentication / authorization module, which allows the user to authenticate himself (with a username and password typically). Once the identity of the user is validated, the session is updated with the ID of the user). The server code then checks the user ID from the session for each request to make sure the user is authenticated / allowed to issue the request (whether it's a HTML page view or API GET/POST).

Things can be a little different for an Android (or iOS...) app, but the idea is similar: have the user authenticate themselves once, give the client a "secret token" which is mapped in the server with the user record. Then this token is passed for all request sent by the client.

You can use a home grown library for that or a more standard one like OAuth2.