I am building an application that consists of two main parts:
- Web application with rest API.
- Mobile application(android, iPhone).
The Web application has a database that stores data about users (like posts, events and similar).
The Mobile application uses the web application's REST api to access that data, but to do that I need some kind of authentication (user must authenticate itself in order to access/modify his data).
I know that this could easily be done in such way that the mobile application provides a username and password in each request to the web api, and the web application authenticates that username and password against database before serving the request.
However, I would like to use oAuth (so user can login using Google, Facebook, ...) and this is where things get complicated, and I am not sure what is the best way to do this.
My first idea: mobile app sends oAuth provider (for example Facebook) credentials (username and password) to web app, which then authenticates them against oAuth provider. I soon realized that is not ok because that means user has to trust your site not to abuse given credentials, so this is not the way it is done. Not Good
My second idea: mobile app uses web application api to tell web app that it wants to authenticate against oAuth provider P. Web application redirects to provider P where user inputs his credentials. Then, provider P redirects back to web application where user is logged in and JSON about successful login is sent to mobile app. This would be great if not for the part where user has to input his credentials manually. I implemented this solution and problem is that, after mobile app accesses web app api JSON is not returned immediately but first redirects are done and that messes everything up. I was thinking about using webView inside mobile app, but I don't know how to return from webView when JSON is to be sent. I am not sure if I should pursue this idea further or this is wrong way of doing it? Maybe good if some problems were solved
My third idea: Mobile app authenticates directly against oAuth provider P. If that was successful then mobile app sends requests to web app containing user information (for example userId, or user password) so web app knows which user it is. However this means that web app has to trust mobile app that given user is really authenticated. That means web app needs to be sure that api is accessed from mobile app. I could do that by hardcoding a special password(secret) in mobile app which is sent with each request to prove that request was sent by mobile app.
Bad side of this approach is that I have to implement mobile app authentication against oAuth provider for each combination of (mobile OS, oAuth provider). Also I am not sure how secure is it. Do you think this is a good way to go, what could I improve/change? I have a feeling I am missing something. This may be good, but it requires a lot of work to be done
Please tell me what idea is best and if there is any way to improve them, thanks