Can I use session-based authentication for my web API?

Question

I am implementing a web server API for my application, and I got stuck in the process of figuring out what authentication method I should use to authenticate requests by the users (and also by other client applications). I think that I did not really understand what OAuth and other authentication protocols are made for.

I want the authentication to be performed without the intervention of a web browser, entirely from my iPhone app, or another custom third-party client. Is session-based authentication the good way to go here? How does (for example) the Facebook iPhone client authenticates itself with the web API? I don't think it uses OAuth or anything like that, since touch login/authorization form is never displayed. OAuth is, as far as I know, used only for third-party apps. But why is that so? Couldn't the iPhone client be considered a third-party app too?

I am sorry if my questions are vague and unclear, please point me out with the details that are missing and such. Thank you.

Answer 1

"Auth" in OAuth is not about Authentication but Authorization. It means that if you are a service provider, you can support OAuth to allow users to grant access to individual resources for any OAuth-friendly consumers if the users want. OAuth has its own security architecture to secure the whole process of validating, granting, and authorizing... Then authentication is an essential step for any further requests.

You are right. Facebook iPhone doesn't use OAuth to authenticate although it could. You can verify it here. And I think because it is an app by Facebook itself and it is troublesome to add up another layer of security when you are exactly the site owner.

So cookie-based authentication is okay if you are not planning to support other 3rd-party clients to access your users' resources. Otherwise, you likely want to provide OAuth and I think it's worth implementing because, who knows, YGNI, in the future.