How do I allow users to authenticate with my REST API?

Question

I am trying to create a REST API for my next project. I think I understand most of the concepts, but am a little unsure about security. Obviously security is the one thing you don't want to get wrong even from the first release of production code.

I understand that REST is stateless, so instead of having a user log in and their session be stored on the server and restarted whenever they make a request, they send the server their unique API key and the server authenticates them on every request.

So how does a user logging into a system look "under the hood"? Is it something like:

1. The user enters their username and password
2. These are sent via POST (or PUT) to an API endpoint
3. If the credentials are valid, a unique API key is generated and returned to the client
4. If the credentials are not valid, an error is returned to the client

It is then the client's responsibility to store the API key and submit it with each request. This key is stored on the server in a database and used to identify the user and their permissions etc. on each request.

This sounds reasonable, but also breaks the true statelessness of the application because most requests require the initial "make me an API key" request to have been sent.

Thanks in advance for helping me understand!

Answer 1

GroupMe's API for example uses a token-based approach to authenticating users of their API (this allows users of their API to create scripts to call the API on their behalf).

In order to successfully make API calls, I (as the user of the API) had to sign in and create an application, which provided me with an Access Token (see image).

This access token (in the case of groupme) is what I had to include with all requests in order for the request to be successful. The format may differ depending on who's API you are using but in the case of groupme, it looks like this:

https://api.groupme.com/v3/PAGE_TO_CALL?token=YOUR_ACCESS_TOKEN

This would allow the GroupMe API to identify me and perform whatever action I had specified. This access token is like my username and password, whoever has it will be able to make API calls as me, including any scripts I create...

If you are interested in creating your own REST API, I would look into this article, specifically the last section on creating a token-based authentication method that other users could use to authenticate with your API.

Here is the most relevant excerpt:

API authentication

In normal web applications, handling authentication is usually handled by accepting a username and password, and saving the user ID in the session. The user's browser saves a cookie with ID of the session. When the user visits a page on the site that requires authentication, the browser sends the cookie, the app looks up the session by the ID (if it hasn't expired), and since the user ID was saved in the session, the user is allowed to view the page.

With an API, using sessions to keep track of users is not necessarily the best approach. Sometimes, your users may want to access the API directly, other times the user may way to authorize another application to access the API on their behalf.

The solution to this is to use token based authentication. The user logs in with their username and password and the application responds with a unique token that the user can use for future requests. This token can be passed onto the application so that the user can revoke that token later if they choose to deny that application further access.

There is a standard way of doing this that has become very popular. It's called OAuth. Specifically, version 2 of the OAuth standard. There are a lot of great resources online for implementing OAuth so I would say that is outside the scope of this tutorial. If you are using Ruby, there are some great libraries that handle most of the work for you, like OmniAuth.