Is passing the tenant in a custom HTTP header RESTful?

Asked 25/10, 2012 at 22:3 Answered 29/6, 2015 at 17:15

Solved rest http-headers uri restful-url restful-architecture

I'm considering the following two ways of identifying the tenant of a HTTP request, in a multi-tenant environment - hardcoding the tenant in the URI:

/{tenantUuid}/foos/{id}

Or passing the tenant in a custom HTTP Header, such as:

X-Auth-Token: 7d2f63fd-4dcc-4752-8e9b-1d08f989cc00"

Note that the {id} is unique across all tenants - so /{tenantUuid}/foos/{id} will still uniquely identify a foo Resource.

My question is - is it theoretically correct to use a Custom Header for this, or is the use of a Custom Header not restful. I am also aware that X-... headers have been deprecated, but the question is ignoring that fact.

Thanks.

Strum answered 25/10, 2012 at 22:3 Comment(0)

The URI should uniquely identify the resource.

But this is orthogonal to authorization and access. Two people could ask for the same resource. One gets nothing, an elided copy, or an error; whereas the other would get the whole thing because they are properly identified in the Authorization header.

Now the URI can include the tenant id as part of its unique URI, there's nothing wrong with that. But either way, the resource itself will (somehow, including by a component of its URI or an internal state) "know" to which tenant it belongs.

So, in your case you should be using the HTTP Authorization header to properly identify the requester and then use that information to determine internally whether and what the response will be for a specific request. A requester may be authorized to see none, one, some or all tenants on a system.

You shouldn't need a custom header at all for this use case.

Villainage answered 25/10, 2012 at 23:47 Comment(0)

If you needed the tenant ID to identify the resource, then the RESTful way would be to have it in the URL. If you don't (id is unique across tenants) then technically, you don't need it in the URL or the header.

Since id is unique across all tenants then /foos/{id} can uniquely identify that resource and is RESTful.

I would avoid using custom headers as a way of addressing a resource. They should be used instead to pass ancillary information like accept types, auth tokens, etc... You need to decide whether it's critical to identify the resource and put it in the URL or not.

Dichotomize answered 25/10, 2012 at 23:24 Comment(0)

It might be as interesting for your app to separate users from different tenants than for app like craig's list to separate it from cities.

But do you want to show all kind of separations in your URI ? Do you want a URI such as /comcast/blackeyes/long-haired/london/ ?

Being RESTful or RESTenough won't answer this question. It's just a question of taste.

Geraldina answered 29/6, 2015 at 17:15 Comment(0)

Recommended topics

Hot tags