Reputation: 3103
Two-Legged OAuth and Private API?
I recently read a question about a simple, secure API authentication system and see that 2-legged OAuth is a good solution to go with. But say I am just creating my own iPhone app, and would like it to interface with my own private API. Is 2-legged OAuth appropriate in this situation? Are there any disadvantages to taking this route?
Upvotes: 1
Views: 721
Answers (1)
Reputation: 3509
Is the user of the iphone client logging in with someone or are you just trying to authenticate the client ?
If the former, then use oauth and have the user log in to some openid provider. Its actually what that is meant for.
If the later ( and it sounds like this is what you are doing), just create some secret and append it as a get request to everything and operate over https. It sounds insecure, but anything else you do will be just as bad. Any crypto/w/e solution you make will involve baking a secret into your code. If someone grabs that secret ( via say a decompiler) then they can fake w/e system you use anyway.
Upvotes: 2
Related Questions
- Implementing OAuth 1.0 in an iOS
- API server access to third party mobile applications along with User identification
- What's the right OAuth 2.0 flow for a mobile app
- good Oauth2 flow in mobile app?
- Secure third-party API calls on mobile app
- Implement Oauth between own server and iPhone app
- Options to securely authenticate mobile access using OAuth2
- OAuth Authentication Iphone
- 2 legged oauth in a web app exclusively for it's accompanying iphone app?
- Implementing a 2 Legged OAuth Provider