Securing spring restfull web service with oauth is a good approch?

Question

I am not a security expert. We have prepared spring restfull web service with spring security.

Now I really have confusion about what is the best approach to secure our web service.

We are going to have SSL connection as well. Our web service will be use by our mobile application and web application.

I read about Oauth 1.0 and 2.0 protocol is very popular nowadays to authorize web services.

So can anyone guide me should I use Oauth mechanism because it is mostly use for accessing third party data, In our case it is not require but our client approaches to use OAuth2.0 or SSL with SHA hashing algorithm is just fine to secure web service?

Answer 1

If there are no third-party client applications which access your web service, OAuth 2.0 is not needed. Probably, HTTPS + Basic Authentication is enough.

If there is a possibility that you may feel like allowing third-party client applications to access your web service in the future, it is worth designing your Web APIs based on the OAuth 2.0 architecture from the beginning. In such a case, it is " Client Credentials Flow " that you will want to implement first among the four flows defined in RFC 6749 (OAuth 2.0). "Client Credentials Flow" does not require authorization by an end-user. That is, the flow cares about only client credentials (client ID and client secret). The initial implementation of your Client Credentials Flow would issue an access token only to your client application.

My one-sentence definition of OAuth 2.0 is as follows.

OAuth 2.0 is a framework where a user of a service can allow a third-party application to access his/her data hosted in the service without revealing his/her credentials (ID & password) to the application.

Whether you should adopt OAuth 2.0 or not depends on whether third-party client applications access your web service or not.