Accessing my own REST API with OAuth authorization

Question

I'm pretty new to OAuth and API security.

I'm building a REST API that will be accessed by my own mobile application.

I want to expose API to other developers via OAuth authorization and authentication and I'll be using my own OAuth provider.

What is the authentication strategy for my own mobile app ? After all, I don't need user to authorize my app. Can I use OAuth for authentication while having my own mobile application pre-authorized by default ?

Can I authenticate users of my mobile app with OAuth or do I need something like OpenID?

Answer 1

Accessing my own oauth REST API - OAuth is NOTHING to deal with REST apriori: OAuth - is Authorization protocol, REST - an architecture style.

For OAuth - use version 2.0 - it's 2012 already.

What is the authentication strategy for my own mobile app? - for mobile app on Android, for example, you could use could get user's account with which one registered his phone within GooglePlay store/GMAIL (and then generate one-time password from on your server side). If one wouldn't provide them to your app - make an explicit authentication.

Nowdays probably only calculator doesn't use explicit authentication - so why should you differ? You can link you Authentication to FB or Google or any other OAuth provider - what does make you to create your proper OAuth provider?

You can Authenticate users with both OAuth and OpenID.

Answer 2

I don't think you want oauth if you are looking to step over the user authorization step. If you are determined to use oauth, however, you could mask the authorization step as a login dialog or give your application an access token. User authorization is a rather big part of oauth's functionality, so ignoring it probably means you should use some other interface to access your users' information.