Securing an existing API with our own solution

Question

I have to design a mobile application that interacts with a provided API to exchange data and info, and I\'ve read about API security, Oauth 2, tokens, .... etc, but somethi

Answer 1

oAuth2 using spring security is a solution for this requirement.

There are 4 grant types in oAuth2 which is meant for different scenarios.

1. client credential : the consumer (app) make calls to back-end using the bearer token created using apikey(or clientId) and secret only. Mostly used for anonymous calls where generic information is retrieved.

2. Resource owner password credential (ROPC) : the consumer (app) make calls using the bearer token created using apikey, secret, username and password. Mostly used when you(your authorization server) already know the users(user database is handled in your own system).

3. Authorization code : the consumer (app) make calls using the bearer token created using an authorization code. The authorization code is provided by a 3rd party (which actually has/manages the logged in user data) and the created authorization code linked to the logged in user. Google and Facebook log in for various sites is a typical example. Facebook/Google gives an authorization code for those websites and they exchange that code for a token.

4. Implicit grant : Mix of password credential and authorization code. Instead of authorization code, you get a bearer token from the 3rd party authorization server.

I have been searching a lot for a simple sample code for an authorization server, but never found one. So, I tried to create it myself which you can find here : https://github.com/abbinv/oauth2Server. Only ROPC and Client Credential is implemented.

It is not a 'beautiful' code. But i think you will get the basics.