Authorization: Any Benefit of OAuth2 for First-Party Web and Mobile Clients

Question

I would like to know whether there is any security benefit to using OAuth2 for authorization where all clients are developed, owned and controlled by the API developer/owner/controller; as opposed to using token authentication per Django Rest Framework's Token Authentication.

My understanding OAuth is that it was created for the purpose of delegated authorization - allowing third party applications access to your user's data without knowing the user's credentials. It seems to now have become a standard, even where delegation is not required. I do not understand why. Is there any benefit at all where delegation is not required?

My setup will be a Django Rest Framework API with a web SPA client and mobile clients. Permissions are associated with user accounts. Users login with email and password.

I do not think that this is an opinion question, because I'm not asking which is better, I will make that decision myself, I'm just trying to understand whether there is actually any security benefit at all to the OAuth option. This question might be somewhat open-ended but hopefully is within an acceptable margin since I'm restricting the considerations to security considerations. Developer effort etc are not necessary to discuss.

Answer 1

OAuth is primarily a set of best practice security design patterns, represented by standards specifications that map to use cases for software companies. It is not just about delegation.

I wouldn't say solutions are more secure just because OAuth is used. It is more a case of the threats being better thought through, as well as the general architecture.

PROTECTING DATA IN APIs

The OAuth solution involves validating a JWT access token on every request, then using claims to implement the real authorization work.

This scales well to zero trust architectures, where JWTs can be forwarded between APIs, and the scope and audience claims can be used for boundary checks. The IAM Primer provides a good overview.

UI FLOWS

Web and mobile are tricky, and it is worth being aware of SPA Best Practices, whether you use OAuth or any other solution, such as a site that manages its own passwords.

FULL OAUTH SOLUTIONS

A full OAuth solution involves use of a third party Authorization Server (AS), which manages the difficult security work, but there is a learning curve in integrating one. It also enables you to use the code flow, which is worth reading about.

Sometimes companies adopt an AS when they want multiple sign in methods, custom authentication, business partner integration, or to use advanced flows or financial grade security, which is required in some industry sectors.

YOUR SOLUTION

Securíty for web, mobile and APIs is difficult however you do it. Usually companies identify requirements and design how they want end-to-end flows to work, rather than it just being a developer task. My blog post suggests a people process.

My general recommendation would be to follow OAuth patterns to protect data, even if you implement UI flows in a simpler way initially. Your code will then be migratable to a full OAuth architecture in future, if your security requirements evolve.