using oauth for API without 3rd party

Question

I know that OAuth 2 is very useful in situations where you want to delegate authorization to a third party (i.e someapp.com wants to access your facebook photos), but does it make any sense to use OAuth in scenarios where you just have a RESTful API without third parties, and you want to protect your endpoints? Or maybe is it enough to create a /login endpoint that produces a short-lived JWT?

Answer 1

You can view such a situation as client consuming a resource server. Here, client is your front end, for example a mobile client. And resource server is simply your RESTful api. And resources are consumed using OAuth 2.0 access tokens. That means, your client include the access token in each request that goes to RESTful api. Have a look at The OAuth 2.0 Authorization Framework: Bearer Token Usage for how this can be done.

One advantage of this approach is the ability to alternate methods you obtain access tokens. That means, initially it could be an in-house identity provider which issue them. But if you decide your identity provider to be Google (allow login with Google sort of scenario) then this approach will be still valid. It make your application to expand easily with different user stores (if you ever wants to support that)

Also, think about scenarios to have multiple clients (ex:- Mobile, SPA and native .Net client). Using access tokens (OAuth 2.0 based) will make a uniform interface from RESTful service endpoint (it is independent from client). So you get the ability to develop different clients targeting same service.

Alternative is (as you mentioned) to maintain a sessions once log in done. But then you will bound to log in related logic of your application, which can make things harder to change in future.