Menu
Lets say that we have an app (web/mobile/desktop) on witch the user never logins/registers but we still want to give him access to some resources, for example doing a POST /v1/users for example.
In order to do that POST the client needs an access_token. How does OAuth should work here? Or other authentication mechanism should be used?
800
asked May 13 '16 07:05
Let's start with the biggest reason why OAuth isn't authentication: access tokens are not intended for the client application. When an authorization server issues an access token, the intended audience is the protected resource. After all, this is what the token is providing access to.
DAuth [25] is an extension of OAuth to split an access token into multiple sub-tokens and assign them to different components of a distributed web consumer. Therefore DAuth can support very fine-grained permission control for accessing user data in service providers. ...
OAuth 1.0 only handled web workflows, but OAuth 2.0 considers non-web clients as well. Better separation of duties. Handling resource requests and handling user authorization can be decoupled in OAuth 2.0. Basic signature workflow.
If your Web APIs (protected resource endpoints) don't care about who the accessing user is, in other words, if an access token presented to your Web APIs don't have to be associated with any user, implement Client Credentials Grant, which is one of the flows defined in RFC 6749, to issue such access tokens.
185
This answer applies to any type of authentication, OAuth or other.
The very nature of authentication is that the client holds a key which the server can verify and thereby allow access to protected resources. The client naturally keeps this key secret, else anyone can access protected resources belonging to them.
If your client has not registered in some way, there is no key. However, it is not necessary to have explicit registration/login. Your app can simply find some unique identifier and silently register with the server and receive an access token. The whole process is hidden from the user.
However, if your data is readily available, and anyone can access it, you may want to consider not using any authentication. If what you are asking is that you only want access from one particular app, then you need to include some form of shared access token from that app which the server can check. This is not 100% because anyone who can read code form your app or scan http traffic could in theory get that access token, but you can make it difficult for average users to do so. SSL helps greatly to secure this process.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
