Designing a Secure REST API with OAuth2 You Can Be Proud Of

Ahmet Alp Balkan
, on

Yesterday there has been a popular post on Hacker News about Designing Secure REST API without OAuth. I don’t agree that OAuth is unsuitable and I’ll introduce my way shortly. This post is intented to be a reply on this topic. In our new startup (ollaa.com), we (3 undergrad co-founders) are basically developing a mobile social network that has iOS/Android clients communicating the server via a REST API. We also looked at how we can provide a secure authentication to our API.

Earlier in our development days, we developed our own proprietary authentication method. It basically should not make us store passwords on the clients and should be extendible for 3rd party apps (who should not know user passwords).

Naively, we were just passing

/api/someEndpoint?username=xxx&passsword=xxx as URL parameters. But later on we realized that will cause serious issues:

Why OAuth2?

Why not OAuth2?:

Simple. In our oauth2_clients database, we indicated that our iOS/Android apps are “official” with a flag. Then while issuing “access_token”s, we allowed our official clients to directly do that without redirecting our users to allow/deny page.

Here’s how standard oauth2 access_token endpoint looks like:

/oauth2/access_token?client_id=XXX&grant_type=**authorization_code**&code=XXXX Here’s how we changed it: /oauth2/access_token?client_id=XXX&grant_type=**user_credentials**&**username**=XXX&**password**=XXX Done.

Our iOS/Android apps can authenticate over OAuth2, just like other 3rd party apps will do in the future. Only difference is that our official clients won’t need to navigate users to the authorization page.

OAuth2 proposal do not mention any other usage of “grant_type” parameter, therefore I think it can be extended in that way.

At the end, you can have


If you liked this post, you can follow me on Twitter or subscribe by email to my blog (no more than an article/month).