OAuth 2.0 for REST Web services

Question

i'm implementing a REST layer for an existing application. I have my userid and passwords stored in database and i would like to authenticate these credentials while calling my REST services. Note that this is a standalone application.

After investigation, I figured out 2 ways.

Basic implementation with HTTPS - this approach makes sure that userid and password passed is not tampered by Man in middle attack.
Using Authentication Token(JWT) - user initially passes his userid and password and server gives back an Authentication token.Once user have an authentication token that could be used for subsequent request.
Using OAuth 2.0 - I'm very confused in this approach. After reading the docs and specification, I found that since my application is standalone, I need to implement Authorization Server, Resource Server etc.

I'm asked to implement OAuth here, but i'm not convinced that OAuth is required in this scenario. I'm more inclined towards just implementing JWT(tokens)

Is OAuth really mandated in this scenario. What i understand about OAuth is it is used when you already have a service like Facebook/ Google.

Could someone pls confirm if my train of thoughts are correct and if OAuth 2.0 is required in this case?

OAuth 2.0 and JWTs can be used together (the access token can be a JWT). Not sure if that's where the confusion is, but if you only have one resource to worry about, it sounds like JWTs could work? — neverendingqs, Aug 30 '16 at 19:27
Alternatively, any chance you are being asked to implement something like "Login with Google"? — neverendingqs, Aug 30 '16 at 19:28
@neverendingqs The product is standalone enterprise product doing some "xyz" task, i'm exposing REST api's for those tasks. there is no way i can have something like "Login with facebook or google". I know that Oauth2 & JWT can be used together, but my main confusion is whether OAuth 2.0 is suitable for this scenario? Can i authenticate userid & password stored in Database using Oauth2. How will i implement resource server, Authorization server? — Vishal, Aug 30 '16 at 20:42
Have you considered the Resource Owner Password Credentials Grant (https://tools.ietf.org/html/rfc6749#section-4.3)? That's another option. — neverendingqs, Aug 30 '16 at 20:52
probably "Resource Owner Password Credentials Grant" seems close to my spec. Do you know any java OAuth library which implements this functionality ? In my case I would need to implement my Authorization Server? — Vishal, Aug 31 '16 at 00:21
If you were ready to do JWT's, OAuth 2.0 for the password credentials grant should be similar difficulty. There's nothing in the spec that says your resource server and authorization server can't be the same server. As for if OAuth 2.0 is suitable for this scenario, sure? It sounds like the person asking you to do this isn't leaving you with alternatives. — neverendingqs, Aug 31 '16 at 01:24
There's a list of libraries at https://oauth.net/2/ you can take a look. — neverendingqs, Aug 31 '16 at 13:43

score 1 · Answer 1 · edited Oct 07 '21 at 13:31

The primary goal of OAuth 2.0 is to allow users to authenticate to use a client application via a third-party authentication provider (e.g. Google, Facebook, etc.), without exposing their credentials (typically a username/password) to the client.

In your case, if users are only ever going to authenticate to your system using their credentials in your database, then implementing OAuth 2.0 doesn't add any substantial value for you.

The OAuth 2.0 specification does define a "Resource Owner Password Credentials grant", intended for legacy use cases, that would apply to your situation: a user sends credentials, and you return an access token (that could be a JWT, if you like). If it's desirable from a management or marketing perspective, you could implement the Resource Owner Password Credentials grant and legitimately state that your application "conforms to a subset of OAuth2, as defined by RFC6749".

OAuth 2.0 for REST Web services

1 Answers1