Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth's tokens and sessions in REST

Tags:

rest

session

oauth

stateless

The other minute I read an article on OAuth. It described especially the tokens being exchanged between client and service provider during a series of requests.

The article also mentioned that OAuth gains significant popularity in RESTful APIs as authorization layer. As I understood, REST should be kept completely stateless.

The question: Doesn't this repeated token exchange torpedo REST's "being stateless" principle? IMHO the tokens can be seen as a kind of session ID, can't they?

like image 902
Boldewyn Avatar asked Nov 04 '09 09:11

Boldewyn

People also ask

Is session ID same as token?

The main difference is session-based authentication of the connection stores the authentication details. The session method makes the server store most of the details, while in the case of the token-based one the client stores them.

What are tokens and sessions?

Tokens and sessions essentially are about where the authorization state is handled, whether on the server-side or the client-side. For example, a server can issue a JWT token via cookie, or expect a stateful session ID to be provided in the “Authorization” header.

What is difference between access token and refresh?

The difference between a refresh token and an access token is the audience: the refresh token only goes back to the authorization server, the access token goes to the (RS) resource server. Also, just getting an access token doesn't mean the user's logged in.

How you maintain sessions in RESTful services?

RESTful API endpoints should always maintain a stateless session state, meaning everything about the session must be held at the client. Each request from the client must contain all the necessary information for the server to understand the request.

1 Answers

OAuth tokens are explicitly a session identifier, interaction is not stateless between requests in the OAuth token negotiation protocol as the requests must be performed in a specific sequence, and they do require per-client storage on the server as you need to track things like when they were issued. So yes, OAuth does violate the strict principles of a RESTful architecture.

Unfortunately there's the Real WorldTM to contend with where we need to do things like allow applications to authenticate on the behalf of individuals without requesting their password, which OAuth does fairly well. It would be impossible to implement a similarly secure authentication scheme without this kind of state. Indeed, one of the changes required by OAuth (1.0a) was to add more state to the token negotiation protocol to mitigate a security risk.

So, does it torpedo REST's stateless principle? Yes. Does that matter? Not unless you live in an ivory tower :-)

like image 108
Greg Beech Avatar answered Sep 21 '22 05:09

Greg Beech
Sign in to Comment

Related questions

ASP.NET MVC 6 AspNet.Session Errors - Unable to resolve service for type?
proper way to logout from a session in PHP
RSpec set session object
How to remove specific session in asp.net?
Storing Anything in ASP.NET Session Causes 500ms Delays
How to maintain a request session in NodeJS
Session data lost in Chrome only
PHP sessions timing out too quickly
Can a user alter the value of $_SESSION in PHP?
Get Current Session Value in JavaScript?
SQLServer vs StateServer for ASP.NET Session State Performance
What is the difference between a Session and a Cookie?
Understanding the "post/redirect/get" pattern
Difference between request.getSession() and request.getSession(true)
session error in codeigniter?
rails 4.0, rake db:sessions:create
Spring Boot Java Config Set Session Timeout
PHP Garbage Collection clarification
Refreshing/Restarting PowerShell session w/out exiting
Authenticate user for socket.io/nodejs

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!