1

For my current work project we're trying to use OAuth to secure a mobile API, but the app doesn't have user accounts, so authentication would take place invisibly from the user, where the app will send up some secrets to the server and receive the token to be used for subsequent web service calls. The problem is, all the libraries and tutorials I can find implementing OAuth follow this pattern:

  1. Present a web view allowing a user to login
  2. Receive a callback to a custom URL scheme, and parse the necessary information to authenticate future web service calls

How do I achieve this without the webview step? I should be able to make an HTTP request directly with the correct credentials which will return the necessary authentication details.

The app will use OAuth 2.0

sak
  • 2,612
  • 24
  • 55

3 Answers3

0

It is not clear what do you mean by

the app doesn't have user accounts

If you want to call some API on behalf of user you should ask him for a password. Doing it in webview or not depends on provider implementation. For example, twitter doesn't force you to do that.

In other case, if you want to call service on behalf of client, take a look at this answer: https://stackoverflow.com/a/7477112/2283405

Community
  • 1
  • 1
balbelias
  • 428
  • 5
  • 17
  • In this API there are no users. OAuth is only being used as a way to secure the API. Basically, usernames and passwords don't exist in the application, so the API is not called on anyone's behalf. OAuth is being used so untrusted third parties can't access the API. – sak Feb 28 '15 at 21:09
  • How would you check if this third party is trusted or not? – balbelias Mar 01 '15 at 17:47
  • The third party would have to have a valid client ID and app secret to be authenticated. – sak Mar 03 '15 at 09:06
0

If the app doesn't require "personalised" or "user-specific" data to be manipulated, then you can probably try using "client-credentials" grant type to obtain access tokens using the application credentials granted upon the application registration process by the Authorisation Server (for e.g.: OAuth server) that's there in your environment. The idea is that, your app is what basically authenticates with the Authentication Server for you using the aforesaid credentials (i.e. Client Consumer Key and Client Secret Key).

Prabath Abeysekara
  • 1,085
  • 7
  • 20
-1

NO, you have to do login compalsary. if you try without. it won't be possible.

Yogesh More
  • 239
  • 3
  • 4
  • I don't think this is correct. For example, the [reddit API](https://github.com/reddit/reddit/wiki/OAuth2#application-only-oauth) has non-login OAuth – sak Feb 27 '15 at 10:47
  • @sak you are absolutely correct, and this is absolutely wrong. OAuth is a token exchange, It doesn't require any user credentials at all per the specifications of the protocol – TheCodingArt May 19 '17 at 02:51