I'm trying to work out the best architecture for a couple of apps I'm developing.

In both apps I want to utilise google/twitter/LinkedIn/etc to provide Authentication of a users identity. The app is composed of an iOS app which has an option to send data to a server which I'm writing in node.js.

I want to utilise either OAuth or OpenId to handle identifying a user against the above servers so that I don't have to put in an authentication system of my own. In other words, allowing users to re-use their ids when choosing to upload data.

I should also note that apart from identifying a user, obtaining a name and email address, I have not intention of using any of their APIs at this time.

I think I have two options:

1. Place the Authorisation code in the iOS client and transmit some sort of key to the server with the data which it can then verify.

2. Keep the iOS client fairly dumb, and handle authorisation from the node server.

I'd probably prefer the second option because it means I could centralise authentication and be able to support a web site as well. That's my current theory.

Can anyone who has done something like this give me some pointers as to the pros and cons, OAuth or OpenId, or links to some examples?

In our previous app we opted for a combination of the two approaches. We wanted to centralize our user data on our server in the event we needed to make future Api Calls on those services. We also wanted the native oAuth experience for the user on the client. Ie: on Android and iOS, the developer can have single sign-on / authorization run through the native Facebook app (if available), vs. popping-up a webview that serves the 'Approve' dialog. It's a better user experience in my opinion. Also for Twitter, the oAuth process may require a PIN code to be entered in the callback which should probably be handled on the client side.

You can pass the access token retrieved by the client to the server for storage and later use if you intend on making additional API calls on these services, provided you expect the token to be long-lived (ie: offline-access permission on FB).

In any case this is mostly a user experience decision.