Proper authentication method for HATEOAS/REST API

Lately I have been reading a little bit about HATEOAS implementation in a HTTP JSON REST API(since I making one), and I understand the general concept of links and actions and so on and that there are many some different formats defined such as HAL, JSON API, etc.

What I don't understand yet is what the relationship between HATEOAS/REST and authentication is, or to make it into a more concrete question, what type of authentication should a "proper" HATEOAS/REST API use?

Obviously, it should be stateless, like a JWT token or something like that, but is there any standard and/or rules/guidelines or is authentication totally different subject?

Edit:

To clarify even further, my problem is not that I am having problems picking what authentication to implement, but that I do not know what is required from the API authentication-wise in order to be able to call it a REST/HATEOAS API.

So the (hypothetical) scenario would be: Create an API that can be said to be REST/HATEOAS in every sense of the word and get $1,000,000. Make one minor protocol-violating mistake and get $0. Meaning, the objective is not to do what makes the most sense, is the most efficient or what benefits the developers and/or users, but just to be 100% REST/HATEOAS beyond the shadow of a doubt.


Like you said, you should look at authentication in an independent manner.

It's true that token-based authentication systems implemented used by-value tokens do fit well in the stateless world of HTTP based API's so this could possibly be the recommendation to give for most common scenarios. However, you should look into the particular requirements of your scenario to reach a final decision, maybe there's a simpler option available like API keys.

Have in mind that if you choose a token-based approach there's still a lot to consider thereafter. Your API won't be of much use if you don't define a way for applications to obtain access tokens and there are many ways you can go about this, for example:

  • You could roll your own system and define your own processes around how the tokens are obtained and then used by the API in order to perform authentication
    ( not recommend , time consuming and easy to get something wrong)

  • Implement an identity provider/authorization server system compliant with available authentication standards like OpenID Connect and OAuth 2.0
    (time consuming and complex, but by following standards you're less likely to mess up and you'll also gain interoperability)

  • Delegate the authentication to a third-party authentication provider like Auth0
    (easy to get started, depending on amount of usage it will cost you money instead of time)


  • Disclosure : I'm an Auth0 engineer.

    链接地址: http://www.djcxy.com/p/41026.html

    上一篇: Servlet参数和doPut

    下一篇: 适用于HATEOAS / REST API的认证方法