Mobile application authentication using tokens - estimation

  1. Implement Authorization server
    2h - Account Management - probably we don’t have to do it - already reuse
    4h - implement authorize endpoint (only implicit grant type is necessary)
    4h - implement token endpont

  2. Implement Resource Server
    2h - find out how to combine with the current cookie authentication

    • a) switch everything to OAUTH
    • b) combine - preferable approach (set session cookies only to non-CORS headers), all other applications has to have OAUTH tokens.
    • c) make it configurable on page basis?
      4h - implement chosen solution
      4h - set properly CORS (cross origin request) headers

0-8h Tuning, obstackles
Overall estimate: 20-28MH

Update: implementation is ongoing