StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POCentralized API provider - oAuth or not?
text
Body
copied!<p>I am a bit lost with the overflow of information and I need some guidance on the best way I can support providing APIs access only to trusted clients.</p> <p><strong>Current environment:</strong></p> <p>We currently have a centralized server that handles user authentication/authorization via Apache Shiro. <br /><br /> We have in-house APIs that communicate internally with the centralized server to authenticate and manage tokens. (Thus enabling SSO).</p> <p>Communication between our client applications and APIs are secured over SSL. <br /> Token-based authentication is used.</p> <p><strong>Target:</strong></p> <p>Our target is to allow 3rd party applications and APIs to communicate with our centralized authentication server. But our main concern is phishing, as we only want "valid" parties to communicate with us, and preferably disallow exposing the authentication information on the 3rd party's side.</p> <p><strong>Questions:</strong></p> <p>1- What is the best way to implement such an architecture? Should we go ahead with OAuth? If yes, is there a good way to integrate it with Shiro?</p> <p>2- Would OAuth do its job well on Mobile applications as well? (e.g Restrict access to REST API unless the application is trusted)</p> <p>3- Is there an OAuth provider library I can use with Java, or is OAuth simply a "standard" that I have to implement myself? (Such as, for example, implementing RESTful APIs)</p> <p>4- Is SSO easily support with OAuth?</p> <p>Sorry for vague questions. I just need general guidance and advice.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload