Question posted in 
I have a server and a mobile application. The server provides a RESTful API and the mobile application consumes this API. I wanted to use OAuth 2.0 so that only authorised users can get response, or, in other words, the mobile app gets an access token when the user logs in so that it can make API calls with this token.
Normally, OAuth is used in a scenario a resource owner (like me), resource server (like Facebook) and client (some third party app) exist. In my case, there are only the server and the mobile app. I want to use my user’s username&password if required to get access token. My questions are as follows:
- I am not sure what roles my server and my application correspond to?
- What kind of flow (and/or Authorization Grant) should I implement?
3
Answers
The mobile application is the client and the API server is the resource server. Since I own both entities, the grant type I am looking for is the 2-legged "Resource Owner Password Credentials". I am using this library with a few minor modifications to fit it to my database. Thank you for your help.
If you need to authenticate your clients with OAuth 2 you can do it with your own authorization server. There are many available open source OAuth 2 servers like this.
Also I suggest you take a look at OAuth which has been built for precisely this problem domain.
According to https://www.rfc-editor.org/rfc/rfc6749#section-1.1, your mobile application is the client and the server hosting the RESTful APIs is the resource server.
You are probably interested in the authorization code grant
…
As @rsa pointed out, you will also need to roll your own authorization server.