1

I have been searching for how we deal with authentication in REST and I find it difficult to understand why people do not consider authentication a resource too. When using a noun in stead of a nounified verb one should consider authenticating to

POST /secure-sessions

from which we would be redirected to:

GET /secure-sessions/{id}

All other secured resources would then be:

GET /secure-sessions/{id}/other-resources POST /secure-sessions/{id}/other-resources etc

If we logout we would do:

DELETE /secure-sessions/{id}

Why is this never considered? One could still use authorization headers and other token mechanisms.

Cheers

Tjerk

Improve this question

2 Answers 2

Reset to default
1

I had the same idea years ago before reading the REST constraints. The answer is simple, it violates the stateless constraint of REST.

We next add a constraint to the client-server interaction: communication must be stateless in nature, as in the client-stateless-server (CSS) style of Section 3.4.3 (Figure 5-3), such that each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

I dont see how creating a secure-session resource on the server is any different from creating other restful resources.
The problem I think is with how we interpret the example I described above within the context of the paragraphs you link to. The different url's I describe above are self-describing and the created resource '/secure-session/{id}' does not place constraints on where this resource is stored or placed. It could be a row in a database, in a file in the file-system,etcetera. Also if one replaces the noun "secure-session" with "secure-access" one cannot directly use the same paragraph of the dissertation to dismiss the example. I hope this makes my point a bit more clear?
@TjerkHeijboer I see that it is hard for you to follow a link, so I quoted the relevant part.
No I read it. It is the question on how he defines Session state. I know that a client should just request server resources using http methods, but is that not what I describe above?
I mean why is it correct to do: POST /users and am redirected to GET /users/{id} from which I could POST /users/{id}/questions and be redirected to GET /users/{id}/questions/{id}, but incorrect to do the above?
|
0

This is a bad idea as REST resources should have a stable URI. Your solution creates lots of different URIs for the same resource (depending on who is requesting the resource).

Authentication is an aspect of a resource request that is orthogonal to the resource itself. There are lots of ways to secure a REST resource (see OAuth 2.0)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.