不涉及第 3 方应用程序时需要 OAUTH2？

Question

Currently I'm trying to make a server in node.js with a REST api to do CRUD calls from apps made in android & iOS.

And of course I would like this REST api be as secure as possible. Spending the last few days trying to find the best way to do this seems to be a Oauth2 server over HTTPS.

I know there is a lot of this out there but I'm not able to find any simple explanation of how this should work. So please don't mark this as a duplicate question as I am actually confused about this.

Reading about Oauth2 the app in android/ios would need to be registered with the server. Everywhere I've looked this is considered a 3rd party app, which isn't the case for me.

Oauth2 seems to be more of a secure flow to let third party apps to my REST api if the user decides to allow it. Like any app that supports login with facebook or G+.

But how does the original apps do it? Like the official apps of Facebook, Twitter and Google+?

Is it possible that they use the Oauth2 basics with access/request tookens etc but skips the whole user approval part since its not a 3rd party app. Or might they be using simpler username and password in headers or by post over https?

I'm really not sure what way to take here if I'm currently not planning to add 3rd party access to my api. What would be a good way to proceed?

Answer 1

Absolutly yes ! it's called the two legged authentification ( it works with the users credentials stored in the database of your authorization server). It implies just your client app and your ressources server ) You can check some documentation here :

http://blog.nerdbank.net/2011/06/what-is-2-legged-oauth.html

http://oauthbible.com/

and the official spec ( on page 10 you can see the workflow I use for my app ) : https://tools.ietf.org/html/rfc6749#section-1.3