I'm implementing an authentication part of my web app using the App Engine (Java), OpenId (for Google signin and so on), and OAuth2 (for Facebook signin). Important requirements include "keep me signed" and secure access for each user to the datastore.
In my understanding, to implement the "keep me signed" feature, I need a cookie to store shared secret generated at server side (App Engine). Also, to secure access to the datastore, each REST API call would need an extra argument, i.e., shared secret, to identify the user each time API is called. Does this sort of session management still dominate development of modern web apps? A more general question is this: is session management outdated in the presence of REST which goes to the direction of stateless? I might misunderstand several important concepts here. Your guidance and pointers to relevant resources are appreciated.
When talking about OAuth, there's another way to look at the keep-me-signed-in feature.
When an app uses OAuth, and when the user authenticates and authorizes - the app gets an Access token and a Refresh token. This is basic OAuth workflow.
Now, the app can make calls to the REST API on behalf of the user by providing the Access token with the HTTP call. An access token generally is short lived, generally 60 minutes. So your app can make authenticated calls for 60 mins using that token - That's good enough to keep you signed it for 60 minutes.
What happens after that?
Every OAuth service provider, like Facebook, Google etc, will provide a token exchange endpoint - Another REST API. You can exchange the refresh tokens for a refresh token + access token pair. Now again, whenever you use the app and if the access token has expired, just hit the token exchange endpoint and get a new access token.
The refresh token will not expire till the time the user explicitly logs in to the service provider's website and revokes permission for your app.