I am trying to determine the easiest authentication scheme to use for my scenario. I have a MEAN webapp that is backed by a mongo database. In the development mode, I just had the database remember the deviceId and accessToken for a user and call it for POST commands and the webhooks just would post to a certain API url. This all works great in development mode.
My question is do I have to use the two-legged scheme in this scenario since I have a server and intend to store all of the events coming from the particle cloud or can I use the simple authentication and “web app” would just represent the whole stack? Bonus question: if I can use the simple scheme- would I setup through my webapp initially?
It sounds like you have a working app. Exciting!
What needs to change between development mode and production? Your response will determine whether you need a different authentication and customer management model. Are you just using the app yourself or will other people use it with their own access tokens?
The most important thing is to keep all your credentials (access tokens, passwords, OAuth client id and secret) on the server, not in the client. That means making calls to the API from the express app, not from the angular app. Customers could use their own access tokens in the angular app in their own browsers — that’s OK. However, you need to keep your access tokens secret on the server, or else anyone who comes to the website will be able to reprogram all your devices.
Thanks for the response Zachary! Right, we plan to keep all access tokens on our servers and make 100% of the calls and responses between our server and the cloud. So with that in mind, is simple auth an option for us since we have a server in place? I was naively hoping that we could do the initial setup with an ios app that would also send a POST call to our servers during the setup with the user’s name, deviceId and access token, and then we’d be good to go afterward sending and receiving information between our server and the particle cloud.
Your plan sounds fine to me @captainchemist. You should avoid sending the user’s password to your server, but sending their access token could be OK if it’s over an HTTPS connection. Also keep in mind that the access token will expire, so you either also need their refresh token or else you need the iOS app to be used again later to send you another access token.
While it’s not the normal flow that I’d recommend, it sounds like a quick and dirty solution that will get the job done for you and has no huge problems as long as you manage credentials carefully.