I'm currently in the process of writing an API that will interact with a web application, iPhone app, and Android app for my work. The API is pretty simple and deals with pilots and their availability.
Since I am creating the API and the client-side applications it seems to me that OAuth2 is overkill for this since I don't really care if username/password passes through the client applications.
I do need to have different user_roles such as 'Admin', 'Supervisor', and 'User' and then restrict access to API calls based on this.
Is there a simple way to go about this? Basic authentication over SSL?
Best Answer
The problem with basic authentication over SSL is it depends on passing reversably-encoded user credentials with every API request. This is a security issue because unless you intend to make the user submit their credentials with every request, you'll have to store the user credentials some way on the client device or in the browser (browsers usually cache basic auth credentials and store them in a way that is difficult to clear). Any time user credentials are stored, it leaves room for somebody else to gain access to them.
It's much better to use some kind of token that is granted at login, has an expiration date, and can be revoked at any time. Tokens are safer to use because even if somebody gets access to the token, they only have access to your system not every system your user uses the same password with.
OAuth2 may be overkill for your apps, but it may be a good choice because it forces you into using some good security practices, and many people have been using it for a while, so it's rather mature as a security protocol. Any protocol that you come up with will likely contain security holes that you just haven't thought about. It's better to be safe than sorry.