OAuth's tokens and sessions in REST

Boldewyn picture Boldewyn · Nov 4, 2009 · Viewed 18.1k times · Source

The other minute I read an article on OAuth. It described especially the tokens being exchanged between client and service provider during a series of requests.

The article also mentioned that OAuth gains significant popularity in RESTful APIs as authorization layer. As I understood, REST should be kept completely stateless.

The question: Doesn't this repeated token exchange torpedo REST's "being stateless" principle? IMHO the tokens can be seen as a kind of session ID, can't they?

Answer

Greg Beech picture Greg Beech · Nov 9, 2009

OAuth tokens are explicitly a session identifier, interaction is not stateless between requests in the OAuth token negotiation protocol as the requests must be performed in a specific sequence, and they do require per-client storage on the server as you need to track things like when they were issued. So yes, OAuth does violate the strict principles of a RESTful architecture.

Unfortunately there's the Real WorldTM to contend with where we need to do things like allow applications to authenticate on the behalf of individuals without requesting their password, which OAuth does fairly well. It would be impossible to implement a similarly secure authentication scheme without this kind of state. Indeed, one of the changes required by OAuth (1.0a) was to add more state to the token negotiation protocol to mitigate a security risk.

So, does it torpedo REST's stateless principle? Yes. Does that matter? Not unless you live in an ivory tower :-)