OAuth for group-permissions based API

Question

I am working on an API that our client companies will use to access company-specific data. We've got the API largely ready, and are now looking at how to secure communications. The obvious choice is OAuth(2?), but in our case, access to the API is not to be user-specific but rather company-specific.

For example, we will have a mobile app that will connect to the API, and everyone at a given company that chooses to install the app should have access to the APIs without needing any additional authentication/OAuth dance.

High-level, the thought is to hardcode the specific client apps with a shared key so that they can only access the right data - which wouldn't be OAuth, but some custom solution... but at some point, it may be possible that we will also be doing individual by individual permissions where OAuth would be more appropriate, so something standards based and future friendly is the desired solution.

Any pointers? Just trying to fill in the blanks on the best angle to move forward with. Reading around, it seems like this is similar to the server-to-server model, which Apigee recommends against using OAuth for.

Answer 1

Yeah, this is most definitely not what OAuth is designed to solve. Apigee's suggestion of two-way SSL is the right approach for server-to-server authentication/authorization. You issue each server a x509 certificate and when they initiate an SSL connection to each other, they validate that each other's certificates came from a trusted source. This capability is built into most server development platforms and isn't all that hard to set up.