Stateless RESTful API and 3rd party authentication

Question

I want to use 3rd party authentication (OpenID, maybe OAuth but I guess OAuth is meant for authorization) so that user can login easily.

But does authenticating on every request means I call the 3rd party (eg. Google) many times even if I don't need any thing from it? For example, I use OpenID authentication but the API I use is something internal (eg. /api/tasks/add).

Answer 1

Let's fix understanding issues first. OpenID and OAuth are a bit different. There is a simple way to memorize that different:

• OpenID is for humans. Simple example: you want to skip boring registration step and let user reuse existing account.
• OAuth is for services/robots. Simple example: you want your script to access external API with some user's data.

There is a simple explanation provided by wikipedia:

Note that with OpenID, the process starts with the application asking the user for their identity (typically an openid URI), whereas in the case of OAuth, the application directly requests a limited access OAuth Token (valet key) to access the APIs (enter the house) on user's behalf. If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs.

So I want to use 3rd party authentication ... that user can login easily. would probably mean you are going to use OpenID.

Answering your question: you do not need to call any third-party services on any request. It will be very inefficient and slow. OpenID provider will return user's credentials and you are good to go.

Please make sure you have identified requirements correctly.