Question posted in 
I’m creating my first iOS app, which will essentially make calls to a RESTful API that I’m building in PHP / MySQL (Laravel), and display the returned data to the user.
Firstly, I need to create a system for Users to register / login, from the iOS app.
I’ve been reading about oAuth and oAuth2, but am a little confused as I’m not sure it’s applicable to my situation.
What I want is:
1) A user to open the App on their iOS device
2) and be required to login by the app making a call to my API, which in turn, checks the user’s credentials against a MySQL database on the server
What I DONT want is:
1) The user to be logging in via 3rd party application (google, facebook, twitter, etc)
2) The user to be directed away from the app to a web page where they have to provide credentials, and then be re-directed back to the app.
Is oAuth appropriate in this situation? My impression was that it’s used to verify a user via a 3rd party service only.
EDIT: An example might be the ebay app on ios. It has it’s own database of users, and allows login and registration from the app, not using any 3rd party API to do so
2
Answers
I’m planning to do the same and struggle with the same problem: using OAuth or just login with credentials. But I think I can give you some advice.
As far as I understood, you think that OAuth2 is a provider to log in with Facebook, Twitter etc. That is wrong. But Facebook and Twitter also use OAuth2.
What is OAuth2 used for (very, very basic!):
If you have a (Web)Service like Facebook and want users to log in from a third party app (like 9gag, soundcloud) you can use OAuth2 to grant them access (without letting them store your credentials). How does it work? The User is redirected to Facebook’s API. When he enters his credentials he is redirected back with a access token. The third party app is then able to log in to facebook with this token to access the users data (for example friends or post something).
But as you already explained, your iOS App is a first party app (it is from the same developer: you!). So I think you don’t need to build a OAuth2 API. Just login with the users credentials.
It is not a pro explanation it is just what I understood so far based on ym research. But I hope it helps you ^^
OAuth(2) is a protocol for authorization. It was meant to grant access to your API to other apps. In other words, I’m a developer of Eugenio’s Super App and I want to call your API on behalf of a (common) user.
In your example, your iOS app is the sole consumer of your API. Perhaps in the future you plan to expand this. Perhaps not.
In any case, I would recommend separating authentication of the user from the API itself. You never know how your user base will evolve. Perhaps you plan to sell your app to consumers. Even though you don’t want to login with FB, Twitter, etc. users might prefer to do so. (unless you are as big as eBay).
Or perhaps you are planning on selling this app to enterprise users. In that case, they will definitely not want to login with your credentials as they already have their own (e.g AD, LDAP, etc)
Keeping that process separate allows your API to evolve over time. Who knows, maybe your app can authenticate users with TouchID. Another example here.
I would recommend using a token based approach in any case. Your APIs would expect a Token. JWT are lightweight and simple to create/validate and parse.
This is a good summary of how to structure JWTs for API: https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/