I am building a REST API service that will not be public and only used by the client to access the resources on the server. There is no authorization of different consumers as the only consumer is the server.
I understand that 3 legged oAuth is the standard used by public API's like facebooks and I think I'm correct in assuming I am after 2 legged authentication but I cannot find a useful website describing it.
I need to use oAuth to access resources and/or change them. Obviously this should be protected. But I am unsure as to how about doing this within PHP. So if a user requests something like https://example.com/me/follow/123 by a post request the user 123 would only be followed if the user is logged.
I would also like public resources to only be accessed by a recognized client only. So if you access https://example.com/user/123 a 401 is given but if you access https://example.com/user/123?client_id=890 a result is given. This will not stop users who are not logged in getting public resources but will stop users who are not using a recognised client. More than a anythinging this is a way for me to track what clients are using the API in the future.
1) How do you go about logins and give the users a token that is sent with every API request?
2) How do I protect the API from being used by unrecognized clients?
I am sorry if any of my terminology or ideas are incorrect. My understanding of REST and oAuth is still very much developing.