How to implement stateless REST API

Question

How to implement stateless REST API

I am working on a REST API that will be used by developers writing mobile applications. Users will be able to use third-party services (Google, Twitter, etc.) for authentication, mainly OAuth (depending on the service in question). We use two-way OAuth between the client application and the API server (where the user key / secret is the application, the developer receives it from our site when the application is registered there).

My problem is how to handle to track stateless user authentication. I do not have user credentials to send in every request. I can create a unique session_id when the user logs in, and then requires a REST API in each request. Are there any other solutions for my problem? Does the session_id unique identifier use the user to identify the cause of any AREST issue without considering the REST state?

+7

rest api stateless

Andreas Oct 05 '10 at 14:41

source share

1 answer

Darrel miller · Accepted Answer · 2010-10-05T16:32:10+0000

Disclaimer: I'm not a security expert at all.

Do not call it session_Id. Call it an authentication token and pass it an HTTP authorization header using your own authentication scheme. See Google AuthSub for an example.

Do not use this authentication token for anything else but to identify the user and determine if they are allowed to fulfill the request. Do not associate any state with the token and do not extract user settings based on this.

How to implement stateless REST API

More articles: