OAuth 1.0 or 2.0 server implementation? Native mobile application authentication

Question

There are lots of resources describing OAuth usage in terms of clients, Facebook/LinkedIn/Twitter API usages. This is ok. But I am interested in OAuth server implementation. The aim is to have the web application which also can be accessible by the mobile devices (native applications), so I need to setup OAuth on my back-end Java server. So I would like to know how LinkedIn/Facebook/Twitter implemented OAuth on their server side, and distinguish users between auth_token-s and grant the corresponding access (some kind database mapping - auth_token = user identity?).

Or maybe there is the better way to authenticate mobile user (I'm going to use REST style services for back-end)?

Answer 1

Facebook, LinkedIn and Twitter have implemented OAuth following the specifications for OAuth 1 (Twitter LinkedIn) and the draft for OAuth 2 (Facebook, LinkedIn).

I would suggest going for OAuth 1, or OAuth 2 User Agent Flow. If your mind is set on OAuth that is. You could always go for simple basic authentication to begin with and focus on the really hard parts, namely the design of your API itself.

If your mind is set on OAuth, check out this list of code libraries: http://oauth.net/code/. And also read up on the specifications, if you want to implement an OAuth provider, you have to know and understand the specs. Otherwise you are in for a world of pain looking for out-of-the-box libraries that will solve everything "OAuthy" for you.