I got a little lost due to information overflow, and I need some guidance on the best way to support API access to trusted clients.
Current Wednesday:
We currently have a centralized server that handles user authentication / authorization through Apache Shiro.
We have our own APIs that interact with a centralized server for authentication and token management. (Thus, the inclusion of SSO).
The connection between our client applications and APIs is provided by SSL.
Token based authentication is used.
Purpose:
Our goal is to allow third-party applications and APIs to communicate with our centralized authentication server. But our main problem is phishing, because we want the βrealβ parties to communicate with us and, preferably, prohibit the disclosure of authentication information to a third party.
Questions:
1. What is the best way to implement such an architecture? Should we go ahead with OAuth? If so, is there a good way to integrate it with Shiro?
2- Will OAuth work well on mobile apps? (for example, deny access to the REST API if the application is not trusted)
3. Is there an OAuth provider library that I can use with Java, or is OAuth just a βstandardβ that I have to implement myself? (For example, to implement the RESTful API)
4- Is SSO supported with OAuth?
Sorry for the vague questions. I just need general recommendations and advice.
SiN
source share