I want to implement a new REST-based API on our infrastructure, and OAuth seems to be the way to go.
For our implementation, there will first just be server-to-server access, which will be completely unrestricted. I believe this is called two-legged authorization.
Later on, we'd like to allow the API to be consumed by the browser, which will turn our authorization into three-legged.
Is there a good starting point for implementing this? How can we fully authorize a server and down the road add restricted authorization per-user?
The OAuth specification is not really helpful in these scenarios, but I believe this implies we need to create a never-expiring session for the server-to-server access, and later on add normal sessions with limited access for user-only APIs.
I'm hoping to find starting points for more information, let me know!
Is OAuth for me? I'm only looking for a authenticated request system, and only the consumer and service provider exist in this scenario. The end-user does not come in to play!