Reputation: 111
OAuth2 grant-type for my web app API
I am working on an API for my web application that can provide raw JSON data for my users in to use as they wish. I am using Apigility which comes with an OAuth2 implementation.
I'd like my users to visit a screen in my app to get their assigned credentials, then use them to consume the API. Do I need to create a client_id for each user or can they all share the same client and use different usernames/passwords?
I'm also not sure which oauth grant-type would be the most applicable. Because no third-party is involved, it seems the 'password' grant-type might be sufficient; but I still have to provide the 'client_id' and 'client_secret' in the headers of the request?
What is the best way to provide credentials and to authenticate users on a RESTful API when they will only be consuming it themselves?
Thank you in advance.
Upvotes: 2
Views: 889
Answers (1)
Reputation: 53928
You can use the Resource Owner Password Credentials grant for the reasons you mention. Your app would only need a single client_id and client_secret to handle different users/passwords.
You would provide those values (client_id, client_secret, username, password) as part of the HTTP POST parameters of the request to the token endpoint and get back an access token that you would use in the headers against the API.
Upvotes: 1
Related Questions
- About OAuth2 grant types
- Which OAuth2 grant type can I use for a LAN web app?
- Need help in understand OAuth2 workflow and choosing Grant Type
- Which OAuth2 flow/grant type I should use?
- Correct Usage of OAuth 2.0 Grant Types
- OAuth2.0 for Rest API
- Which grant type to use in client-server authentication?
- Creating a custom OAuth2 Grant Type
- OAUTH 2 for API and app
- Choosing the right OAuth2 grant type for PHP web app