2

I am working on an API for my web application that can provide raw JSON data for my users in to use as they wish. I am using Apigility which comes with an OAuth2 implementation.

I'd like my users to visit a screen in my app to get their assigned credentials, then use them to consume the API. Do I need to create a client_id for each user or can they all share the same client and use different usernames/passwords?

I'm also not sure which oauth grant-type would be the most applicable. Because no third-party is involved, it seems the 'password' grant-type might be sufficient; but I still have to provide the 'client_id' and 'client_secret' in the headers of the request?

What is the best way to provide credentials and to authenticate users on a RESTful API when they will only be consuming it themselves?

Thank you in advance.

Joel
  • 111
  • 8

1 Answers1

1

You can use the Resource Owner Password Credentials grant for the reasons you mention. Your app would only need a single client_id and client_secret to handle different users/passwords.

You would provide those values (client_id, client_secret, username, password) as part of the HTTP POST parameters of the request to the token endpoint and get back an access token that you would use in the headers against the API.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • Thank you! I read that if you leave the client_secret blank in the db, you do not need to provide it to get an access token. What are the benefits/drawbacks of this? – Joel Apr 13 '15 at 15:59
  • benefit is one secret less to maintain, drawback is that you don't control the client/app instances anymore that use your infrastructure to check username/passwords; anyone could cook up a client and start accessing your token server and API and you have no means to stop it (the client_id is not a real secret) – Hans Z. Apr 13 '15 at 17:08