Authenticating Web and Mobile to Rails API

Question

I am reading the Service Oriented Design with Ruby book by Paul Dix and many posts here but am left with many questions surrounding authenticating users and the application.

I want to have api.site.com as a RESTful Rails app serving up JSON. Secure.site.com will be a web app (maybe Rails or maybe PHP) that will consume the service. Also a mobile app such as iPad will also consume it.

So is the first step to build in a level of auth so that only my web app and mobile app can consume the service? Then once the calling app has been authenticated, both these apps will have users who want to CRUD their data so then authenticate them as well?

I've read about Http basic, digest, tokens, oauth and many plugins but am having a difficult time narrowing down the most flexible and reusable way. For now this is simply learning so I would like to stay away from plugins so I can learn the code better.

Can my web app use normal sessions like I'm familiar with and then the mobile use their equivalent to sessions. At that point I still have no authenticated the calling app though. Http basic seemed like I could use it from both, but I didn't see a way for my web app to use a normal login form and logging out seemed like an issue.

Answer 1

I would suggest two solutions for you.

1. Use a Gem like devise for login system and inherit the devise registration and sessions controller to make it respond to JSON requests.

2. Create your own simple authentication and use respond to HTML and respond to JSON for separating web and mobile login

Iam not totally sure whether a mobile device maintains a session (please look around) but u can always use a token authentication system if it doesnt.