Centralized API provider - oAuth or not?

Question

I am a bit lost with the overflow of information and I need some guidance on the best way I can support providing APIs access only to trusted clients.

Current environment:

We currently have a centralized server that handles user authentication/authorization via Apache Shiro.

We have in-house APIs that communicate internally with the centralized server to authenticate and manage tokens. (Thus enabling SSO).

Communication between our client applications and APIs are secured over SSL.
Token-based authentication is used.

Target:

Our target is to allow 3rd party applications and APIs to communicate with our centralized authentication server. But our main concern is phishing, as we only want "valid" parties to communicate with us, and preferably disallow exposing the authentication information on the 3rd party's side.

Questions:

1- What is the best way to implement such an architecture? Should we go ahead with OAuth? If yes, is there a good way to integrate it with Shiro?

2- Would OAuth do its job well on Mobile applications as well? (e.g Restrict access to REST API unless the application is trusted)

3- Is there an OAuth provider library I can use with Java, or is OAuth simply a "standard" that I have to implement myself? (Such as, for example, implementing RESTful APIs)

4- Is SSO easily support with OAuth?

Sorry for vague questions. I just need general guidance and advice.

Answer 1

Here are my answers in order,

1. OAuth 2.0 is the best fit for you. I would say you should go for OAuth.
2. Definitely yes.
3. There are libraries. Apache Oltu and Google client library.
4. OpenID Connect specification which is built on top of OAuth can be used to implement SSO.