问题
I am developing a mobile app and its backend (Java). How shall I authenticate the users (using our own account system, not things like Google/GitHub accounts)? One way is to create an OAuth2 server. However, my backend is not a giant, and I only have one "third-party application" in the definition of OAuth...
So I wonder what is the best way of authentication in such an mobile app? Thanks!
P.S. Another idea is to use cookies, just like the old days when developing browser webpages. But I seldom see apps doing this way. I see most of them sending Authorization: Bearer the_token_values
...
P.S.2 I am using Flutter and Java Spring.
回答1:
If your authentication system supports OAuth by all means use it. The advantage of OAuth is standardization. Using standard protocols has a lot of advantages. The most important one is that it is very hard to come up with a bullet proof authentication system. A lot of high profile hacks in the last decade are attributed to home grown authentication protocols.
Another advantage of using OAuth or another widely accepted protocol, is availability of the libraries. You can find an OAuth library for any platform and any language these days.
Just keep in mind OAuth is not the only game in town. There are other fine protocols out there. Probably the most bullet proof out there is a mTLS. It requires robust Public Key Infrastructure, but it is probably the hardest to hack. If you are in the old school environment with Active Directory and writing an internal app, consider Kerberos. And finally there is SAML which is very enterprisy and a pain to work with, but it is a bit more flexible than plain OAuth.
来源:https://stackoverflow.com/questions/60611240/should-i-use-oauth-or-what-else-for-the-backend-of-a-mobile-app-there-is-on