I'm under the impression that OAuth is for authentication between three parties. Does it make sense to implement OAuth in a context where there is just a client and server.
We have a server, and a client (HTML/javascript). Currently we authenticate via the normal "post credentials to server, get a cookie, use cookie to authenticate all subsequent requests" method. Will implementing OAuth be a benefit in this situation?
Oauth supports different Grant Types for the differing communications you're asking about.
Here is an example in a PHP library , of a different grant type or two:
Client Credentials Grant Type Trusted Clients and UnTrusted Clients
The Client Credentials grant type is used when the client is requesting access to protected resources under its control (i.e. there is no third party).
# using HTTP Basic Authentication
$ curl -u TestClient:TestSecret https://api.mysite.com/token -d 'grant_type=client_credentials'
# using POST Body
$ curl https://api.mysite.com/token -d 'grant_type=client_credentials&client_id=TestClient&client_secret=TestSecret'
You'd get back an access token (like your cookie) and use that on all subsequent calls.
Implicit Grant Type
The Implicit grant type is similar to the Authorization Code grant type in that it is used to request access to protected resources on behalf of another user (i.e. a 3rd party). It is optimized for public clients, such as those implemented in javascript or on mobile devices, where client credentials cannot be stored.
https://api.mysite.com/authorize?response_type=token&client_id=TestClient&redirect_uri=https://myredirecturi.com/cb
Source : http://bshaffer.github.io/oauth2-server-php-docs/grant-types/client-credentials/
