Should I use OAuth (or what else) for the backend of a mobile app? - There is only *one* “third-party” application in such cases

大憨熊 提交于 2020-05-15 18:05:54

问题


I am developing a mobile app and its backend (Java). How shall I authenticate the users (using our own account system, not things like Google/GitHub accounts)? One way is to create an OAuth2 server. However, my backend is not a giant, and I only have one "third-party application" in the definition of OAuth...

So I wonder what is the best way of authentication in such an mobile app? Thanks!

P.S. Another idea is to use cookies, just like the old days when developing browser webpages. But I seldom see apps doing this way. I see most of them sending Authorization: Bearer the_token_values...

P.S.2 I am using Flutter and Java Spring.


回答1:


If your authentication system supports OAuth by all means use it. The advantage of OAuth is standardization. Using standard protocols has a lot of advantages. The most important one is that it is very hard to come up with a bullet proof authentication system. A lot of high profile hacks in the last decade are attributed to home grown authentication protocols.

Another advantage of using OAuth or another widely accepted protocol, is availability of the libraries. You can find an OAuth library for any platform and any language these days.

Just keep in mind OAuth is not the only game in town. There are other fine protocols out there. Probably the most bullet proof out there is a mTLS. It requires robust Public Key Infrastructure, but it is probably the hardest to hack. If you are in the old school environment with Active Directory and writing an internal app, consider Kerberos. And finally there is SAML which is very enterprisy and a pain to work with, but it is a bit more flexible than plain OAuth.



来源:https://stackoverflow.com/questions/60611240/should-i-use-oauth-or-what-else-for-the-backend-of-a-mobile-app-there-is-on

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!