Reputation: 74
How a RESTFULL API should authenticate final users?
I need to build an REST API that will have a web front end (in the future will be also mobile).
I'm a little confuse on how I should manage the authentication and session management for the final users.
I know that with an API there are 2 kinds of authentication, machine to machine and user to machine, the front end will use the machine to machine approach, but, following the state less from a REST design, how can I make the user authentication?
Should I handle the user session management on the front end? Should I send in every request the user id and password?
I'm very confuse about this topic.
Thanks for your help.
Upvotes: 1
Views: 133
Answers (1)
Reputation: 178
Yes, you should handle user session management on the front end. When user logs in, you send pwd and id to api, api returns you the user (everything you need about the user - this should also include some kind of user token, that you will use to identify user in next actions). This process is done only once, because then you save your user in session. When user logs out, you just delete the session.
So basically what happens is id + pwd is sent to api. Api returns user with user token. Then with every request, you can send user token to api, so that you know which user is doing what and handle this in backend.
Upvotes: 2
Related Questions
- Securing a RESTful API
- How to design a RESTful API to check for user's credentials?
- RESTful API Authentication
- RESTful best practice for authentication
- RESTful API security
- Are there existing standard/best-practices for authenticating an application AND a user to a REST API
- Building A RESTFul API, How To Do Authentication
- Design a RESTful authentication API
- Correct way to manage user auth over REST api?
- How do people handle authentication for RESTful api's (technology agnostic)