API认证设计

I'm planning on building a web service consisting of two servers - an API backend (RESTful & stateless) and a web server frontend. The backend will be build with Go and the web server with PHP or Java.

Basically I'd like multiple users to log in with their web browsers through the use of their facebook or google credentials which I understand I must use OAuth for.

I'm however deeply confused about how I should design the authentication. Can I simply implement OAuth on the webserver alone and then use an API-key/secret to validate the webserver with my API and communicate over an encrypted connection between the two of them. Would that be secure and work just fine or should I implement authentication in some other way?

I've made a simple diregram showing my idea of how this could be done.

I really hope that you guys can point me in the right direction.

Two common approached to tacking the problem:

Trusted subsystem model vs Delegation model

Trusted subsystem

Use a trusted subsystem model, it maybe impractical to maintain a separate key and secret for every user of the front end, the trusted subsystem model basically states that a system (web server) with authority to an api is responsible or trusted to authenticate/authorise users access to that api, and is given authority to do so.

What you do is provision a account for the web server, and allow the web server to authorize access to the api.

Delegation model

If you have control over how the api authenticates you can use the same method as the frontend and reuse the end users security principal to authenticate to the back end api.