Security in your own application

My app is running on domain example.com, but I fetch some data from domain api.example.com.

Example:

1. User want to add new article.
2. example.com send request to api.example.com/add

Question:

I would like to know, which secu开发者_如何学运维rity should I use to verify user? oAuth? Or should I send user's password over POST? Thank you.

If your passing information to and from your own website then use sessions to store the user data, you don't need OAuth (that's designed to validate users between different websites without requiring the password on the 3rd party's end).

if your api.example.com is meant to be use by other sites, you should have an authentication system on api.example.com (http basic+ssl, http digest, oauth, etc.) which is used by example.com.

example.com should then not manage user (creation, authentication, etc), only relay to api.example (maybe using session to store api.example.com user credentials). but example.com should manage user preferences if those preferences refer only to example.com