5

I have an API with the following method:

https://api.example.com/services/dosomething

I am providing this service to three different mobile apps, each one with hundreds of users. When a user logs in in the mobile app, a call to my API needs to be made.

I know that providing each one of the three mobile apps a different API Key and doing a HTTP Basic Authentication with it is not secure, since the API Key would be unsafely stored in the device an anyone can take it and make bad use of it.

The approach of OAuth2 doesn't work, since I only have information of my three customers, not their hundreds of users.

What is the best approach to secure the calls to my API on mobile?

Improve this question

1 Answer 1

Reset to default
5
+100

In your case, your approach with OAuth2 is good: mobile apps (clients) receive delegation from resource owners (your users) to call protected resources on a resource server (your API).

You only have information about your clients because OAuth2 is not dedicated to authentication of your users but authorization of you clients. The clients are identified with a client ID. In your case and if you want to know which client calls your resource server, then each client should have a dedicated client ID. You may also identify it using other information such as the IP address or a custom header in the requests it sends.

If you want to know who your users are, you should implement the OpenID Connect extension. This extension works on top of an authorization server based on OAuth2. The authentication of the user is performed by the authorization server. An ID Token is issued with information about the user. The client (or mobile app) does not have to get or store user's credentials.

There is an excellent video where the both protocols are explained (especially from 4:44 to 11:00).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks! You said that OAuth2 is dedicated to authorization of my clients (mobile apps). How does this authentication work? Is there an API key or username/password per app? If so, how can we keep that information private? I don´t need to know what user is it, but I need to know what client sends the request.
Hi. I updated my answer and I added details. I hope it will help you