1

I am learning RESTful and have come up with such a question:

Since RESTful web services requires that the server side does not store any connection data, how do we implement user login?

The traditional method can use server-side session to store user data, but RESTful gets aways from it.

One apparent solution is that, the user side always sends username and password every time they visit a new page, and the server side always authenticates the user before it does everything. However, this approach seems very ugly as the front-end has to store username/password and send them in every link, and the server has to check against the database to authenticate, which seems too slow.

So how do we even implement any user authentication mechanism without storing any tracking information on the server side?

Improve this question
1
  • You can create something like ApiKey model. Which can generate access tokens. Then you would look for ApiKey by access user token you previously generated. You may also want to add additional restrictions to ApiKey like expires_in etc. So before each request if you don't find the ApiKey by using access token you can return head :unauthorized from your controller method. Additionally check this out railscasts.com/episodes/352-securing-an-api Commented Oct 27, 2014 at 4:14

1 Answer 1

Reset to default
1

A good RESTful way to implement authentication is through Tokens. E.g a unique and hard to guess collection of characters that only the authenticated user and server know or can deduce.

RESTful Approach

For the sake of simplicity I'm assuming it's a JSON based web service, though the approach would be the same with XML or any other data structure:

POST /tokens
BODY:
{"username": "my_user_name", "password": "thepassw0rd"}

A successful validation would return a 200 OK response with a new unique token for the user:

200 OK
RESPONSE:
{token: 'wVXBbpBP4EnjpgENLUp7'}

Then instead of sending the username/password with each RESTful request the token is sent via a HTTP header:

GET /some_resource
HEADERS:
X-Auth-Token: wVXBbpBP4EnjpgENLUp7

If the token is invalid (fake, expired etc), a 401 Unauthorized HTTP status can be returned. This has the advantage that authentication doesn't interfere with the structure of your RESTful responses.

Storage

It is possible to generate a token that doesn't require storage. One way is by having the Token an encrypted string of the user id, similar to how Ruby on Rails encrypts session data client-side in a cookie. However this has some disadvantages, namely it becomes harder to revoke tokens, set expirations on the token or have levels of authorization. Unless your service is immediately going to have Google-sized amounts of traffic, you'll have more flexibility if you store each token on the server.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

So we still need some kind of server-side storage even with RESTful?
Just to clarify, are you talking about when using a third-party RESTful web service or building your own RESTful API?
I'm saying building my own. I'm trying to understand what's the best practice instead of just using something that has been built already.
You will always need to have some kind of server-side storage when you're doing your own authentication. At the very least you will need to store each user's username and hashed password. While it's technically possible to not store each token on the server, there are some security and flexibility considerations to keep in mind that I mentioned above. Authentication tokens are considered best practice and are fundamental to protocols like OAuth

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.