I'm currently working on an iPhone app which uses a LAMP API. I've gotten to the user authentication portion and have recently been exploring oAuth. Because this is an iPhone, the app will be the only thing consuming the API. I have opted to use a 'Password Grant' in my case (no Google, Facebook, etc integration yet) However, I'm trying to understand what the workflow is exactly.
I have three circumstances for general use-cases, are these accurate?:
- A user downloads my app on their iPhone
- They Register (submit username, email, password)
- when registering, a Client ID, and Client Secret are also submitted
- are these sent FROM the iPhone? Or are these stored in my API and added to their request?
- when registering, a Client ID, and Client Secret are also submitted
- After registering successfully, the API generates an Authorization Token which is returned to the iPhone App. This token is sent WITH every request the iPhone makes and shows a) that the user is authenticated and b) which user is using the API
Second use-case
- A user already has the app and is a registered user.
- Upon launching the App, their previously stored authorization-token is sent with their requests?
- How is the Authorization Token stored in the iPhone?
Third use-case
- Presumably, this token eventually expires and a new one needs to be generated.
- The user opens their app and sends their existing token, which is rejected because it expired.
- Now, we go through the steps in Use-Case 1 to re-generate an authorization token for the user, which is then stored in their iPhone App
0 comments:
Post a Comment