How do we allow a second client to authenticate users and access our api authorized backend? Please correct any part of my understanding that is incorrect.
User authentication is register / login / logout portion of your app.
App authorization for an api is confirming your app has permission to access an api.
A user should be logged in to the app and the app should be authorized in order for the user to access the api.
It is important to keep user authentication separate from app authorization because different clients (apps) may access our services through our api. Accordingly different users may have different access rights.
Consider a simple web app. Rails with devise is used in the app (api client) for user authentication. The app then accesses the rails-api using doorkeeper for app authorization.
Consider then adding a simple mobile app. How would the mobile app access the same user authentication service? How would we allow mobile app access to our user authorization service?
Would we need to separate the user authentication service into its own api using a separate instance of doorkeeper to authorize the mobile app and web app before creating users and then after authenticating users again authorize the app plus logged in user to access the backend api?
I'm sure it should be easier than described. Any resources, books, videos also appreciated.
