Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Stateless RESTful API and 3rd party authentication

I want to use 3rd party authentication (OpenID, maybe OAuth but I guess OAuth is meant for authorization) so that user can login easily.

But does authenticating on every request means I call the 3rd party (eg. Google) many times even if I don't need any thing from it? For example, I use OpenID authentication but the API I use is something internal (eg. /api/tasks/add).

like image 448
Jiew Meng Avatar asked Dec 20 '13 02:12

Jiew Meng


1 Answers

Let's fix understanding issues first. OpenID and OAuth are a bit different. There is a simple way to memorize that different:

  • OpenID is for humans. Simple example: you want to skip boring registration step and let user reuse existing account.
  • OAuth is for services/robots. Simple example: you want your script to access external API with some user's data.

There is a simple explanation provided by wikipedia:

Note that with OpenID, the process starts with the application asking the user for their identity (typically an openid URI), whereas in the case of OAuth, the application directly requests a limited access OAuth Token (valet key) to access the APIs (enter the house) on user's behalf. If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs.

enter image description here

So I want to use 3rd party authentication ... that user can login easily. would probably mean you are going to use OpenID.

Answering your question: you do not need to call any third-party services on any request. It will be very inefficient and slow. OpenID provider will return user's credentials and you are good to go.

enter image description here

Please make sure you have identified requirements correctly.

like image 135
Renat Gilmanov Avatar answered Sep 22 '22 00:09

Renat Gilmanov