I'm planning on building a web service consisting of two servers - an API backend (RESTful & stateless) and a web server frontend. The backend will be build with Go and the web server with PHP or Java.
Basically I'd like multiple users to log in with their web browsers through the use of their facebook or google credentials which I understand I must use OAuth for.
I'm however deeply confused about how I should design the authentication. Can I simply implement OAuth on the webserver alone and then use an API-key/secret to validate the webserver with my API and communicate over an encrypted connection between the two of them. Would that be secure and work just fine or should I implement authentication in some other way?
I've made a simple diregram showing my idea of how this could be done.
I really hope that you guys can point me in the right direction.