I have been reading a lot about OAuth 2 flow recently, and I wanted to ask if this is applicable to the app that I am building, and what type of security I should be using.
- We have a native ios/android and angular SPA app.
- We build/own/control our own backend apis, and only our frontend apps can(should) communicate with these apis.
- User logs in on a form, we validate credentials on backend, and return a JWT back, which is then used for subsequent requests. Access to most apis is restricted to logged in users, other apis are open to the net to allow users to register.
I cannot see a use case here for OAuth here, however, everything I am reading seems to suggest that it is required. We will not be delegating access to third party systems, we simply only want to validate our own customers, and only allow them to access our apis via our front end apps, after they have logged.
Is the approach I have outlined which we are currently doing correct, or do I need to implement OAuth Authorization Code flow, and if so can you please explain why ?