I am working on a REST API that will be used by developers writing mobile apps. Users will be able to use 3rd party services (Google, Twitter etc) to authenticate themselves, this is mainly handled by OAuth (depending on the service in question). We use 2-legged OAuth between the client application and the API Server (where the consumer key/secret is app specific, the developer gets it from our site when the app is registered there).
My problem is how to handle to keep track of the user authentication in a stateless manner. I do not have the users credentials to send in each request. I could create a unique session_id when a user logs in and then require that in each request to the REST API. Are there any other solutions to my problem? Does using a unique session_id to identify the user cause any problems from a stateless REST API perspective?
Disclaimer: I am not in anyway a security expert.
Don’t call it a session_Id. Call it an authentication token and pass it the Authorization HTTP header using your own authentication scheme. See the Google AuthSub for an example.
Do not use this authentication token for anything other than identifying the user and determining if they are authorized to perform the request. Do not associate any state to the token and do not retrieve user preferences based on it.