22 Dec
2008
22 Dec
'08
7:13 p.m.
Pascal Voitot wrote:
Look at this article which shows an even worse example
by SUN:)
http://developers.sun.com/identity/reference/techart/id-svcs.html
To my mind:
/authentication could be a resource
/authentication/logout is not resource but an action...
Right.
so something like "GET
/authorization?state=logout" might not be exactly
RESTful but it is acceptable for my intellect ;)
A way to do authentication is the way Google does.
You post your credentials to /authorization and you get as a response a
token that you provide in subsequent request with an Authorization header.
The POST operation could also generate a URI that you will DELETE in
order to logout. Or you can also put a timeout on the token so you don't
have to logout at all.
The problem here is that, while this is perfectly RESTful, it's not very
practical to do with a plain browser because, unless you do some
javascript magic, you cannot add headers to a request just by typing
something in the URL bar.
A solution could be as other suggested to use the
http://username:password@uri in order to leverage Basic auth, or as I
proposed to expose a special uri that when requested challenges the
browser to ask for an authentication. Subsequent requests will have the
Authorization header set and, hence, login performed.
-Fabio