My question is pretty straightforward but I am pretty sure it's just a lack of understanding on my part.
Background: I have a prototype native android app as well as an asp.net Web API and I want to implement OAuthorization so that users can login through google+, Facebook, or Twitter.
Question: What is the design pattern for this feature? I'm confused as to whether I implement OAuthorization through the mobile app or through the web API. It's probably a combination of both. I've read many blogs and tutorials but they fall short in helping me understand how these two aspects (app and web API) of my project would work together.
Thanks
In OAuth there are these players:
Note that, in most occcasions, the resource server and the authorization server are the same server
OAuth allows you (the Owner of the resources: your gmail contatcs) to authorize a client (a third party app) to access the Resources (your gmail contacts) from the Resource server (gmail itself) on your behalf.
To do so, the typical flow is: you open the thrid party app (the client), and, when it needs to access your resource (the gmail contacts), it redirects you to the authorization server (gmail) and, apart form log in, if you wasn't logged in, the authorization server (gmail) informs you that your app (the client) is trying to access a resource (the contacts), so that you can approve or deny it.
If you approve it, gmail sends your application (throug an URL) a token which can be exchanged for a "bearer token". So, your app exchanges it, and receives the berare token, which can be presented to the resource server (gmail) to access the resource (contacts). From that moment on, the client (the third party application) will present the bearer token to the resource server and it will give it access to the resource (the contacts).
So, OAuth itself is not the best option for authentication. You can use it to authenticate by asking permission to get the basic profile info (name, perhaps email), and once you have access to that info you know who the user is. However, this simplistic implementation of Auth ad authentication server is not safe, so what you'll really use is OpenID, which is much safer. The flow is similar to he exaplined above, but it's standardized for different providers and safer.
The question is that you should use OpenID providers to delegate the authentication.
To see how to work with OAuth authentication, read this: Logging In Using External Sites in an ASP.NET Web Pages (Razor) Site and this: Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on
One option to use OpenID is dotnetopenauth.
NOTE: if you use OAuth, you need to register your application on the provider (Google, facebook...) so that you can use it. The OAuth authorization server must have a pre-configured list of clients (applications) with some configuration (for example the callback url, and client id and password) which will allow this clients (applications) to ask for permission to use them on behalf of the user (resource owner).
NOTE: you application can use OAuth to authorize itself, i.e. generate and check tokens, using OWIN middleware.
Once you understand the inner working of OAuth and OpenID, you can use any of the available libraries for different languages: from the openid.net libraries list.