I have a back-end (API) and a front-end, eg a web server, and I have users and ID-providers.
The web server is provided by a third aprty and it may just as well be a mobile app, but whatever the case is, the user uses it to access their data.
Generally the users will need the Application (Web of Mobile) to be able to do everything for them because the API just gives out low-level responses in JSON format. So when a user requests that a front end be authorized, that gives that front-end full access to whatever the user can do.
The users register and authenticate by means of their Google/FB/Twitter etc accounts so that the API doesn't need to worry about passwords, and to make it easier for users to sign-up.
When the user views a resource, eg their messages or account history or profile on the back-end, they do this via a front-end.
The front-end then passes the request for the resource to the API (which is implemented in a REST-ish fashion). My understanding is that for this to work oAuth would be used to Authorize the web site to request the user's private information.
Please correct my understanding: After registration, the user logs in on the Front-end. The Front end then retrieves information for the user from the back-end via "oAuth Authorized HTTP requests", (oAuth 2.0 to be specific)
The Back-end sees that the request is authorized but doesn't know who was (presumably still is) logged in during this process? So how does the back-end know what mailbox or profile or transaction history to serve up?
The API will encode the specified mailbox or transaction history in the URI, but really the question is how does the backend know that the front-end is requesting the correct mailbox for the currently signed in user?