Scenario for implementation includes mobile app (MA) which authenticates user with an authentication server (AS) using OAuth or OpenID and mobile app server (MAS) which should serve mobile app requests for data etc.
Part when MA authenticates user with AS is clear to me. After authentication is done I also can acquire some MA user data (name, email, token, etc).
Next, user interacts with MA and MA sends request for data to MAS. What is the best practice for MAS to authorize MA user to request data?
Should I maintain user data in MAS database? (I guess yes) How shell I track data request from MA and be sure that they come from authenticated MA user?… And similar question about this part concern me.
I read a lot of docs on how to implement authentication but I did not find any on how to implement authorization in the scenario I described, using Oauth or OpenID.
I would appreciate your answer or at least a hint/link where I could find more information about the best practices for this scenario.
Thanks!
You can use two-legged OAuth to communicate between MobileApp(MA) and Mobile App Server (MAS). Once the user is authenticated on MA from AS using openID, the MA has a unique authorized token of that user. MA now sends this authorized token to MAS using two-legged OAuth and fetch the user data securely.
I hope its very clear or let me know if your scenario differs from this.