OAuth for anonymous users

Question

Lets say that we have an app (web/mobile/desktop) on witch the user never logins/registers but we still want to give him access to some resources, for example doing a POST /v1/users for example.

In order to do that POST the client needs an access_token. How does OAuth should work here? Or other authentication mechanism should be used?

Answer 1

If your Web APIs (protected resource endpoints) don't care about who the accessing user is, in other words, if an access token presented to your Web APIs don't have to be associated with any user, implement Client Credentials Grant, which is one of the flows defined in RFC 6749, to issue such access tokens.

Answer 2

This answer applies to any type of authentication, OAuth or other.

The very nature of authentication is that the client holds a key which the server can verify and thereby allow access to protected resources. The client naturally keeps this key secret, else anyone can access protected resources belonging to them.

If your client has not registered in some way, there is no key. However, it is not necessary to have explicit registration/login. Your app can simply find some unique identifier and silently register with the server and receive an access token. The whole process is hidden from the user.

However, if your data is readily available, and anyone can access it, you may want to consider not using any authentication. If what you are asking is that you only want access from one particular app, then you need to include some form of shared access token from that app which the server can check. This is not 100% because anyone who can read code form your app or scan http traffic could in theory get that access token, but you can make it difficult for average users to do so. SSL helps greatly to secure this process.