REST API Authentication (maintaning an authenticated state)

Question

I am developing a REST API. Currently I am trying to make it minimally secure. I am asking this question because most of the posts I found about this subject were quite old.

For authentication I found this schemes:

• Basic authentication
• AWS authentication protocol
• OpenID
• OpenID Connect
• OAuth pseudo authentication

Basic Authentication and AWS authentication maintain the requests authenticated after a firts authentication because they keep sending signed requests.

I don't understand how the OpenID and OAuth authentication maintain a (second) request autehnticated? Do I need to check the access token with the OAuth/OpenID server per each request? How does this protects the REST API from receiving requests that have been altered?

Any other schemes that you recommend, advices or reading material about the subject are always welcome.

Answer 1

I'd talk about OAuth here

i) You create a web app and want to use google's OAuth API's.
ii) You register your app here and get credentials.
iii) Now, in the app you'd use Google's SDK to open the login page, enter your credentials and Google would verify it and send you access tokens and refresh tokens.
iv) You would make REST call to google's APIs with the access token and fetch user's data.

Now, coming to the question you asked -
An access token generally lives for 1 hour. Yes, any authenticated calls that you need to make to any of Google's API within one hour could be made with the same access token.
There is another type of token - the Refresh Token. At any time, your app can hit the provider's token exchange endpoint and exchange the refresh token for - refresh token + access token pair.

Now again, you have an access token that will help you for one hour and a refresh token that can be exchanged any time.

Refresh tokens live for as long as you want, till the time the user explicitly revokes permission to your app. (Tells Google that it doesn't not want you to access his resources!)

OAuth would make your REST API secure by ensuring that only authenticated and authorized clients can hit your API. But generally, OAuth is only used when there's a situation where a third party client needs access to a user's resource!