Authenticating mobile app login using webservice using oauth connection

Question

I have developed a website in PHP ( zend framework 2 ). It has user authentication to access user specific content and views which is only accessed by the user. Now I want to create a mobile app which has same functionailty as this. So I created a web service to access all require methods to access data. Now I have to authenticate user from mobile app . So user should be able to login once using his credentials in mobile and he should be able to access his content.

My Idea is , after user is authenticated ,subsequent API calls should communicate with web service using a token provided by web service. I have basic understanding of oAuth. So my plan is to create an oAuth server in my application which provides secret key for my app. App connects using secret and gets a token when authenticated. App uses this token for further API calls.

Now my questions are

1. Am I using oAuth correctly or isnt this oAuth for.
2. Is there any better implementation than this.
3. I have searched to see similar implimentations but all I found when I tried oAuth keyword is google oauth Authentication.
4. What are alternatives to authenticate user from mobile app with login credentials we have in database.

Answer 1

Yes, you are on the right track to some extent but let me suggest a way which is used in the industry for a while now.

1st read question and answer to get the basic idea of how it should be done.

How to implement 'Token Based Authentication' securely for accessing the website's resources(i.e. functions and data) that is developed in PHPFox?

Then read this post to grasp idea about JWT.

Okay now let's see how you can implement it JWT in your application. For that read this post. Ignore the NodeJS/Angular stuff. Think of them as your application server instead. Try to understand the rationale behind it.

I have provided you URLs since I don't wanna repeat here what's already out there in the internet but I have given you the path to solve your problem in a better way. Please let me know if you need future clarifications on this.

Answer 2

Using PHP is fine, however I would use SharedPreferences if you want the user to login once and then keep his session open for future access to the app. You can give each user access to different fragments based on the credentials he/she has and each user would get cutomised data on their app.

To help you with the authentication of the app, this tutorial is very helpful. Let me know if you need any further help :)

Answer 3

yes, this is a good case for OAuth access tokens.
However, I'd take a step further and suggest using JWT(JSON Web Tokens) as API Keys. JSON Web Tokens are self-validating, digitally signed and contain properties about the logged in user. This means you don't have to call for user's data in central storage on every API request.
There are plenty of libraries for Token Signing/Verification http://jwt.io/#libraries
In your case you will need just two of them: for PHP and Java
Here is some further reading if you're interested in JWT
https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/ http://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs