|
|
|
|
|
|
by fauigerzigerk
4478 days ago
|
|
|
First of all you need to make a decision. Do you require your users to entrust the client software with their passwords or not. If you can do that, the solution is pretty simple. Do it as you would do it with any website. Simply use https (TLS) to transmit username and password and return a session cookie to use in subsequent requests. Run your API over https only. If you don't want your users to entrust client software (i.e. apps) with their passwords then use https with OAuth. The reason why using https alone works well for web apps is that users can trust their browsers. Browsers can know the password and they probably won't steal it. However, if you provide an API and you expect many different client apps, including some dubious ones, to use that API on behalf of your users then users cannot trust the client software and hence you should use OAuth. The decision doesn't depend on whether or not your application stores sensitive data, because users often use the same password for different sites. So if you like your users and you provide an API for mobile apps to use, you should use OAuth. |
|
|