OAuth 2.0. No session? (stateless)

session rest oauth oauth-2.0 stateless
jwchang picture jwchang · Jul 12, 2012 · Viewed 17.3k times · Source

I'm going to implement OAuth 2.0 and REST API with it

to grant different permissions per users and also to scale well.

To scale well, stateless is easier because there is

NO file, database, in-memory based session with it.

Below is how I understand OAuth 2.

  1. OAuth Server give an access token to a user.
  2. The user's access token is stored in cookie.
  3. When user access to REST API, user sends with the access token.
  4. Server receives request with access token.
  5. Server find out whether access token is valid and the user has permission to do request.
  6. Do or reject based on user's privilege.

So I do not have to worry about session storage. Right?

Answer

Jan Gerlinger picture Jan Gerlinger · Jul 12, 2012

What you are describing here, is the OAuth 2 Implicit Grant flow. OAuth 2 also includes three other flows, but as it seems that your ressource owner (the user) is initiating requests using browser side Javascript (you were talking about cookies), this is the flow you should go for.

On client side, OAuth only requires you to store the access_token for accessing protected ressources (and a refresh_token if you're going for an expiring access_token).

Related questions

Session management : How to generate Authentication token for REST service ? (Jersey)

I am trying to implement session management in my REST service. I came to know these guidelines while surfing : Not using server side sessions - it violates the RESTful principle. Using HTTP Basic authentication - Not possible right now, as …

Read More
OAuth's tokens and sessions in REST

The other minute I read an article on OAuth. It described especially the tokens being exchanged between client and service provider during a series of requests. The article also mentioned that OAuth gains significant popularity in RESTful APIs as authorization …

Read More
How to use cURL to send Cookies?

I read that Send cookies with curl works, but not for me. I have a REST endpoint as: class LoginResource(restful.Resource): def get(self): print(session) if 'USER_TOKEN' in session: return 'OK' return 'not authorized', 401 When I try …

Read More