Hi, Will you manage user accounts like id and password by yourself ? I recommend not to create the authentication system by yourself because of security risk and you need to take the responsibility if you unintentionally disclose account information to public.
In addition, OAuth protocol isn't used for authentication, used for authorization. One of authentication protocol is OpenID. Because the difference is very large, you should check the role of authentication and authorization. On Thursday, July 25, 2013 12:10:16 PM UTC-4, Nicharee Punsan wrote: > > I am in the early stages of planning (in particular for the security) of a > REST API through which a mobile application authenticates and then sends > data to be stored in (and also to be retrieved from) the Joomla > website/database. It's basically an application-to-application > authentication. > > I plan to use the API for own internal use which means that the otherwise > important aspect of "making it easy for third party developers/API users" > is not as important. My main concern is that I of course want to prevent > that illicit information can be injected through such API calls. At some > stage I might also be asked by external auditors about how this security > aspect is properly covered - hence I better be prepared from the start... ;) > > SSL is planned to be used for client/server communication and the API will > also use a username/pw for authentication, But does anyone have an opinion > about (and maybe experience with) using OAuth as a security layer? I do not > mean using user's social media pw for the Joomla login, I mean implementing > oAuth on the Joomla Component side (i.e. the Joomla side REST API). > > Thanks > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To unsubscribe from this group and stop receiving emails from it, send an email to oauth+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
