I am currently writing a rest API in python with the microframework Flask. It’s a private API and it deals with user data. I plan to use this API to build a web and an Android app.

For now I use digest auth to secure private user data. For example if you want to post data on my service with the user bob you make a post request at myapi/story/create and provide bob’s credentials with the digest pattern.

I am aware this is not a good solution because :
-Digest auth is not secure
-The client is not authenticated (How to secure requests not related with current user, for example create a new user ?)

I read a lot of stuff about oAuth but the 3-legged authentication seems overkill because I don’t plan to open my API to third party.
The 2-legged oAuth won’t fit because it only provides authentification for clients and not for users.
Another problem with oAuth is that I haven’t found a comprehensive guide for implementing it in Python. I found the python-oauth2 library, but I don’t understand the server example and I can’t find additional documentation. Plus it seems that many aspects of oAuth are not covered in this example.

So my questions are :

1. Is there alternative scheme (not oAuth) for authenticate both client and user with a reasonable level of security ?
2. If oAuth is the best solution :
   • How to skip the authorization process (because users won’t have to authorize third party clients)?
   • Is there detailled documentation for python-oauth2 or for any other Python library?

Any help or advice will be appreciated.