I have a webapp LAMP-stack that provides a REST API. The goal is to have 3 levels - databse, services (REST) ββand several front-end clients (website, Android, iPhone). Currently, these levels are in one box. The website uses the API to make service logic calls for CRUD operations; mobile clients have not yet been created.
I am using the PHP bcrypt implementation to store user credentials. It is a slow / intensive processor by design. Each API call accepts a pair of username and password along with API parameters. This will prevent large-scale scaling because the hash is computed every time the API call.
So, I was looking at alternatives. OAuth 2.0 uses revocable tokens, which are not expensive, but the articles I read seem to suggest that the main use case for this protocol is to allow third-party users to access my API. This is not entirely consistent with my model, as mobile clients, for example, belong to me.
Is OAuth intended only for third parties or is it typical for a company to add its mobile clients as OAuth users for its own API?
Can I share a secret with the Android / iPhone application that I publish on the application market so that they can immediately communicate with the API?
source
share