In a enterprise distributed system, a user of a web portal can sign into one site, be redirected to a federation provider. Once they log in with, for example, a facebook account, that user is federated (single-sign-on) with each service that exists in the enterprise that trusts the same federation provider for authentication.
My question is this; How can API users of the same system benefit from the same luxury (single sign on) ? As far as I understand it, API calls should be stateless, thus each request should require separate authentication.
If each of the distributed API's, when called by a client, need to make a call to the federation provider, get authenticated, pass claims back to the API, then process the clients request, it seems a little network chatty to me.
To clarify, an example scenario for an API client might be :
- Create a customer (customer API)
- Create a user for that customer (user API)
- Place an order (order API)
- View billing statement (billing API)
- View customer report (report API)
Like I say, it seems a little chatty for each API to talk to the federation provider on each request.
Best Answer
In general:
The nitty gritty details of setting all that up will vary depending on what Authentication System, what sort of Token, and what API libraries you're using. Though if you're doing something beyond basic google/facebook integration, it's likely to be agonizing.