What is OAuth and how does it secure REST API calls? [closed]

Question

I have mobile application REST API calls which hits to my server without any token or security mechanisam.

I want to secure my API calls. I am trying to understand what is OAuth and how it will secure my mobile app REST API calls which are hitting to my server?

Also I want to know in details about the below fields which are used in OAuth . From where I will get below fields.

Consumer Key
Consumer Secret
Token
Token Secret
Timestamp
Nonce

Answer 1

Since most of providers use OAuth 2.0 and OAuth 1.0 has been deprecated by major providers, I will explain OAuth2.0

What is OAuth?

OAuth is an open standard for authorization, commonly used as a way for Internet users to log in to third party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without exposing their password.

you can implement your own OAuth server, here I am explaining about social auth. so the term OAuth here after refers to social auth with OAuth.

In layman's terms, OAuth lets users login to your web service with accounts(Facebook, Google etc).

Terminology:

• client: The user of your API.
• Resource Owner (api server): Your API
• Authorization Server (auth server): Facebook/Google etc auth server.
• Authorization grant: the method by which you authorize a user. we are using Authorization code here.
• Authorization code: A code that the auth server returns to the client which can be exchanged for an access token at the api server.
• Access Token: A string that identifies a user, usually comes with an expiry period.
• Consumer Key or APP_ID: a public key used by auth server to identify your application.
• Consumer Secret or APP_SECRET: a private key which should be kept confidential.

The below terms have nothing to do with OAuth but are used with OAuth to make it more secure.

• Timestamp: a string that tells date and time.
• Nonce: a number or string which can be used only once.

source: http://smerity.com/

I will explain the diagram with Facebook login as an example.

Background; consider you have done the below, before explaining the diagram:

1. You register an app with Facebook developers portal.
2. Facebook provides you two codes, 1) a secret_key and 2) an app_id
3. You designed a button which says Login with Facebook.

Now the diagram:

1. Client requests the API server.
2. API server redirects to login page saying. To access the data: please login with facebook to access the page
3. User clicks on the login with Facbook button, a new popup OAuth dialog opens. asking for facebook username and password.
4. User enters his username and password, then allow access to your app. auth server redirects the user to your website with a code as parameter in URL.
5. API Server is called on the step 4, API server captures code from URL.
6. API server call auth server with the provided client_secret
7. Auth server returns to the access token for the user to the API Server.
8. API server asks auth server for user information for the given access token.
9. Auth Server returns details about user, profile pic, email etc.
10. API server identifies the user, sends him the response along with access token.
11. client sends the access token to the api server on next request.
12. API server checks if access token is valid and respond.
13. When access token is expired, client is asked to login again.

Now, How does this secure your api?

Make the portions which need security as login required to access them. if the client who makes the request is not logged in to your api, send him to step 2 of the diagram.

So what is nonce? timestamp?

If someone steal an access token, he can get access to API server as long as the access token expires. So when the user requests a page, server sends him back a nonce which is stored in the server. the client signs the request with the recieved nonce and complete the request. as the nonce is only used once, server deletes the nonce. when an attacker grabs the nonce, and make a fake request to the server,server rejects the request as the one time number is invalid as its used already.

TimeStamp is used identify the time the token or nonce is created which is used to expire the token or nonce in a limited time frame (1-2seconds), the time needed for a request to complete.