I have been searching around to find an clear answer for some times, but still end up asking it.
I am trying to design a site that has a Java/JBoss RESTful backend, and angular as front-end (javascript and static page). Because I want to open the flexibility for mobile client and 3rd parties client access, I have OAuth2.0 implemented in the project.
After reading so many articles and threads on how to do "user" (not client) authentication and authorization, I got more and more confused. Please correct me if I am wrong, my understand is that OAuth is used between client and server, i.e. between my front-end and back-end servers, or 3rd party client with my backend server, because they will need to share client id etc.
Then from a user's perspective when he/she logs in the site, do we still need HMAC or another session token to authenticate/authorize the user together with the OAuth token to authenticate the request?
Or I should utilize the OAuth framework and send back an accessToken for the Password grant? but the specification said, Password grant should be only used for trusted party.
For the REST services, for example, only the owner of the entity can update or delete on the path /user/{id}, how should I enforce it? The role-based authorization won't apply in this case. And I am currently using a Filter for the OAuth, and not sure if I should do the same and keep a map between "session id"(if i need to use it) with existing user id, and find out if a user is operating on another user's entity, server should return 401? And all these check need to do manually?
Any comment is greatly appreciated. Thanks so much.
