What's the best way to handle API authentication for users (especially for mobile devices)
We're looking to create an API for our website. One of the major usages for the API (I suspect) will be to allow people to create mobile apps (for the iPhone and hopefully other devices).
What's the best way to handle API authentication for users. As a general rule, I don't like encouraging our users to hand their username/email/password details over to a 3rd party. However, is using oAuth acceptable/mature enough to work with for mobile devices? The only people using oAuth for mobile apps appear to have been Pownce, which seems to have had user issues and in any case is no longer around for me to see how they have dealt with the problem.
(Our user base is very untechnical, so I would expect <1% to have ever dealt with oAuth before)
The choice seems to be:
- Ignore the issue开发者_Python百科 with 3rd parties and passwords
- Force developers to implement oAuth integration
- Try something user unfriendly (such as using a secret key rather than their password)
Am I missing something?
I dont think I completely understand your question, what do you mean by "handle API authentication for user" ? Do you want to make users authenticate themselves before using your API? Or something else?
One thought though, and this is true I think for any mobile platform. If you have an API that will work through a browser, then any mobile app, on first launch after download should be able to launch a browser (all mobile platforms allow this) and do any type of one time authentication.
Hope this helps, further clarifications on your question will help me give a better answer.
精彩评论