API Authentication & Authorisation OAuth 3-legged approach: Am I doing it right?

Question

I'm working on an API and considering using OAuth (3-legged approach) for authentication and authorisation.

This is the basic idea:

• In order for clients (mobile app or web app), to use this RESTful API the user will have to be logged in using identity providers/servers such as Google, Facebook e.t.c

Essentially 3 parties will be interacting here:

• The mobile / web app: The one trying to access my API
• The API: The site that contains data for the app to run
• The identity server: The site that will allow the user to login in order to access the API

Now, the way that I understand this process (assuming I do). This would be the flow (summarised):

• The user will try to access data from the API (consumer);
• The consumer finds that the user is not logged in;
• The user gets a page (with service provider buttons such as Login with Google);
• The user clicks the button, and the service provider returns a login form;
• The user logs in;
• The service provider returns a page asking for specific permissions;
• The user grants permission;
• The service provider returns an access token to the user;
• The user uses the access token to try the request again to the consumer (API);
• The consumer takes the token and verifies it against the service provider;
• The consumer grants access to the user.

First

Is this process correct (on a higher level), or have I completely misunderstood the whole thing. If it is not correct: Could you offer some tweaks?

Second

After this whole process. How does the consumer communicate with the user? Will I have to be passing around a token on every request made (between the mobile app and the API)? Or can I just use the user details from the service provider to identify the user?

Third

How exactly does the consumer (API) verifies the token provided by the user against the server? Is this already implemented in OAuth, or will I have to do it myself?

Forth and last

In terms of implementation, what would be the difference between the client (mobile app / web app) and the consumer (API)?

I'm new to this, and I am trying to implement it in PHP (the API). If you have any references to PHP code (sample implementations) or external resources, I'd really appreciate it :-)

Answer 1

I am also new for oauth but I'll try to help. First you could look here for appropriate libraries which could help.

As for me your oauth flow is correct. A good explanations you can also find here. Keep in mind that authorization server should return an authorization code which you use for obtaining access token.

So your questions:

1) Follow the second link and there - "Authorization Code".

2) With every request to you API you should send your access token. Something like

http://<your api>?access_token=7f813af1-381d-4dd7-b70b-b6a8399b2c00

3) Just use the libraries from the first link. I hope that they have already implemented this. :)

4)Can't exactly understand what you mean. Your client must be able to obtain access token, store it and send it with requests. Your API server must be able to receive access token from client, and give access to api if the access token is correct.