Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beautiful REST + JSON APIs

Published byGwen Cooper Modified over 6 years ago

Similar presentations

Presentation on theme: "Beautiful REST + JSON APIs"— Presentation transcript:

1 Beautiful REST + JSON APIs
Les CTO, Stormpath stormpath.com

2 .com Identity Management and Access Control API
Security for your applications User security workflows Security best practices Developer tools, SDKs, libraries

3 Outline APIs, REST & JSON REST Fundamentals Design Base URL Errors
Versioning Resource Format Return Values Content Negotiation References (Linking) Pagination Query Parameters Associations Errors IDs Method Overloading Resource Expansion Partial Responses Caching & Etags Security Multi Tenancy Maintenance

4 APIs Applications Developers Pragmatism over Ideology Adoption Scale
Learn more at Stormpath.com

5 Why REST? Scalability Generality Independence Latency (Caching)
Security Encapsulation Learn more at Stormpath.com

6 Why JSON? Ubiquity Simplicity Readability Scalability Flexibility
Learn more at Stormpath.com

7 HATEOAS Hypermedia As The Engine Of Application State
Further restriction on REST architectures. Learn more at Stormpath.com

8 REST Is Easy Learn more at Stormpath.com

9 REST Is *&@#$! Hard (for providers)
Learn more at Stormpath.com

10 REST can be easy (if you follow some guidelines)
Learn more at Stormpath.com

11 Example Domain: Stormpath
Applications Directories Accounts Groups Associations Workflows

12 Fundamentals Learn more at Stormpath.com

13 Resources Nouns, not Verbs Coarse Grained, not Fine Grained Architectural style for use-case scalability Learn more at Stormpath.com

14 What If? /getAccount /createDirectory /updateGroup /verifyAccount Address Learn more at Stormpath.com

15 What If? /getAccount /getAllAccounts /searchAccounts /createDirectory /createLdapDirectory /updateGroup /updateGroupName /findGroupsByDirectory /searchGroupsByName /verifyAccount Address /verifyAccount AddressByToken … Smells like bad RPC. DON’T DO THIS. Learn more at Stormpath.com

16 Keep It Simple Learn more at Stormpath.com

17 The Answer Fundamentally two types of resources: Collection Resource Instance Resource Learn more at Stormpath.com

18 Collection Resource /applications Learn more at Stormpath.com

19 Instance Resource /applications/a1b2c3 Learn more at Stormpath.com

20 Behavior GET PUT POST DELETE HEAD Learn more at Stormpath.com

21 Create, Read, Update, Delete
Behavior POST, GET, PUT, DELETE ≠ 1:1 Create, Read, Update, Delete Learn more at Stormpath.com

22 Behavior As you would expect: GET = Read DELETE = Delete HEAD = Headers, no Body Learn more at Stormpath.com

23 Behavior Not so obvious: PUT and POST can both be used for Create and Update Learn more at Stormpath.com

24 PUT for Create Identifier is known by the client:
PUT /applications/clientSpecifiedId { } Learn more at Stormpath.com

25 PUT for Update Full Replacement PUT /applications/existingId {
“name”: “Best App Ever”, “description”: “Awesomeness” } Learn more at Stormpath.com

26 PUT Idempotent Learn more at Stormpath.com

27 POST as Create On a parent resource POST /applications {
“name”: “Best App Ever” } Response: 201 Created Location: Learn more at Stormpath.com

28 POST as Update On instance resource POST /applications/a1b2c3 {
“name”: “Best App Ever. Srsly.” } Response: 200 OK Learn more at Stormpath.com

29 POST NOT Idempotent Learn more at Stormpath.com

30 Media Types Format Specification + Parsing Rules
Request: Accept header Response: Content-Type header application/json application/foo+json application/foo+json;application Learn more at Stormpath.com

31 Design Time! Learn more at Stormpath.com

32 Base URL Learn more at Stormpath.com

33 http(s)://api.foo.com vs http://www.foo.com/dev/service/api/rest
Learn more at Stormpath.com

34 http(s)://api.foo.com Rest Client vs Browser
Learn more at Stormpath.com

35 Versioning Learn more at Stormpath.com

36 URL https://api. stormpath. com/v1 vs
URL vs. Media-Type application/foo+json;application&v=1 Learn more at Stormpath.com

37 Resource Format Learn more at Stormpath.com

38 Media Type Content-Type: application/json When time allows: application/foo+json application/foo+json;bar=baz&v=1 … Learn more at Stormpath.com

39 camelCase ‘JS’ in ‘JSON’ = JavaScript myArray.forEach Not myArray.for_each account.givenName Not account.given_name Underscores for property/function names are unconventional for JS. Stay consistent. Learn more at Stormpath.com

40 Date/Time/Timestamp There’s already a standard. Use it: ISO 8601
Example: { …, “createdTimestamp”: “ T18:02:24.343Z” } Use UTC! Learn more at Stormpath.com

41 Response Body Learn more at Stormpath.com

42 Return the representation in the response when feasible.
GET obvious What about POST? Return the representation in the response when feasible. Add override (?_body=false) for control Learn more at Stormpath.com

43 Content Negotiation Learn more at Stormpath.com

44 Header Accept header Header values comma delimited in order of preference GET /applications/a1b2c3 Accept: application/json, text/plain Learn more at Stormpath.com

45 Resource Extension /applications/a1b2c3.json /applications/a1b2c3.csv … Conventionally overrides Accept header Learn more at Stormpath.com

46 HREF Distributed Hypermedia is paramount!
Every accessible Resource has a canonical unique URL Replaces IDs (IDs exist, but are opaque). Critical for linking, as we’ll soon see Learn more at Stormpath.com

47 Instance w/ HREF (v1) GET /accounts/x7y8z9 Learn more at Stormpath.com
200 OK { “href”: “ “givenName”: “Tony”, “surname”: “Stark”, ... } Learn more at Stormpath.com

48 Resource References aka ‘Linking’ (v1)
Learn more at Stormpath.com

49 Hypermedia is paramount. Linking is fundamental to scalability.
Tricky in JSON XML has it (XLink), JSON doesn’t How do we do it? Learn more at Stormpath.com

50 Instance Reference (v1)
GET /accounts/x7y8z9 200 OK { “href”: “ “givenName”: “Tony”, “surname”: “Stark”, …, “directory”: ???? } Learn more at Stormpath.com

51 Instance Reference (v1)
GET /accounts/x7y8z9 200 OK { “href”: “ “givenName”: “Tony”, “surname”: “Stark”, …, “directory”: { “href”: “ } Learn more at Stormpath.com

52 Collection Reference (v1)
GET /accounts/x7y8z9 200 OK { “href”: “ “givenName”: “Tony”, “surname”: “Stark”, …, “groups”: { “href”: “ } Learn more at Stormpath.com

53 Linking v2 (recommended)
Learn more at Stormpath.com

54 Instance HREF (v2) GET /accounts/x7y8z9 Learn more at Stormpath.com
200 OK { “meta”: { “href”: “ “mediaType”: “application/ion+json;version=2&schema=...” }, “givenName”: “Tony”, “surname”: “Stark”, } Learn more at Stormpath.com

55 Instance Reference (v2)
GET /accounts/x7y8z9 200 OK { “meta”: { ... }, “givenName”: “Tony”, “surname”: “Stark”, …, “directory”: { “meta”: { “href”: “ “mediaType”: “application/ion+json;version=2&schema=...” } Learn more at Stormpath.com

56 Collection Reference (v2)
GET /accounts/x7y8z9 200 OK { “meta”: { ... }, “givenName”: “Tony”, “surname”: “Stark”, …, “groups”: { “meta”: { “href”: “ “mediaType”: “application/ioncoll+json;version=2&schema=...” } Learn more at Stormpath.com

57 Reference Expansion (aka Entity Expansion, Link Expansion)
Learn more at Stormpath.com

58 Account and its Directory?
Learn more at Stormpath.com

59 GET /accounts/x7y8z9?expand=directory
200 OK { “meta”: {...}, “givenName”: “Tony”, “surname”: “Stark”, …, “directory”: { “meta”: { ... }, “name”: “Avengers”, “description”: “Hollywood’s hope for more $”, “creationDate”: “ T14:22:18.029Z”, } Learn more at Stormpath.com

60 Partial Representations
Learn more at Stormpath.com

61 GET /accounts/x7y8z9?fields=givenName,surname,directory(name)
Learn more at Stormpath.com

62 Pagination Learn more at Stormpath.com

63 Collection Resource supports query params: Offset Limit
…/applications?offset=50&limit=25 Learn more at Stormpath.com

64 GET /accounts/x7y8z9/groups
200 OK { “meta”: { ... }, “offset”: 0, “limit”: 25, “first”: { “meta”:{“href”: “…/accounts/x7y8z9/groups?offset=0”}}, “previous”: null, “next”: { “meta”:{“href”: “…/accounts/x7y8z9/groups?offset=25”}}, “last”: { “meta”:{“href”: “…”}}, “items”: [ “meta”: { “href”: “…”, ...} }, ] } Learn more at Stormpath.com

65 Many To Many Learn more at Stormpath.com

66 Group to Account A group can have many accounts
An account can be in many groups Each mapping is a resource: GroupMembership Learn more at Stormpath.com

67 GET /groupMemberships/23lk3j2j3
200 OK { “meta”:{“href”: “…/groupMemberships/23lk3j2j3”}, “account”: { “meta”:{“href”: “…”} }, “group”: { “meta”{“href”: “…”} } Learn more at Stormpath.com

68 GET /accounts/x7y8z9 Learn more at Stormpath.com 200 OK {
“meta”:{“href”: “…/accounts/x7y8z9”}, “givenName”: “Tony”, “surname”: “Stark”, …, “groups”: { “meta”:{“href”: “…/accounts/x7y8z9/groups”} }, “groupMemberships”: { “meta”:{“href”: “…/groupMemberships?accountId=x7y8z9”} } Learn more at Stormpath.com

69 Errors Learn more at Stormpath.com

70 As descriptive as possible As much information as possible
Developers are your customers Learn more at Stormpath.com

71 POST /directories 409 Conflict { “status”: 409, “code”: 40924,
“property”: “name”, “message”: “A Directory named ‘Avengers’ already exists.”, “developerMessage”: “A directory named ‘Avengers’ already exists. If you have a stale local cache, please expire it now.”, “moreInfo”: “ } Learn more at Stormpath.com

72 Security Learn more at Stormpath.com

73 Learn more at Stormpath.com
Avoid sessions when possible Authenticate every request if necessary Stateless Authorize based on resource content, NOT URL! Use Existing Protocol: Oauth 1.0a, Oauth2, Basic over SSL only Custom Authentication Scheme: Only if you provide client code / SDK Only if you really, really know what you’re doing Use API Keys instead of Username/Passwords Learn more at Stormpath.com

74 401 vs 403 401 “Unauthorized” really means Unauthenticated
“You need valid credentials for me to respond to this request” 403 “Forbidden” really means Unauthorized “I understood your credentials, but so sorry, you’re not allowed!” Learn more at Stormpath.com

75 HTTP Authentication Schemes
Server response to issue challenge: WWW-Authenticate: <scheme name> realm=“Application Name” Client request to submit credentials: Authorization: <scheme name> <data> Learn more at Stormpath.com

76 API Keys Entropy Password Reset Independence Speed Limited Exposure
Traceability Learn more at Stormpath.com

77 IDs Learn more at Stormpath.com

78 Should be globally unique
IDs should be opaque Should be globally unique Avoid sequential numbers (contention, fusking) Good candidates: UUIDs, ‘Url64’ Learn more at Stormpath.com

79 HTTP Method Overrides Learn more at Stormpath.com

80 POST /accounts/x7y8z9?_method=DELETE
Learn more at Stormpath.com

81 Caching & Concurrency Control
Learn more at Stormpath.com

82 Server (initial response):
Server (initial response): ETag: " a7c876b7e” Client (later request): If-None-Match: " a7c876b7e” Server (later response): 304 Not Modified Learn more at Stormpath.com

83 Maintenance Learn more at Stormpath.com

84 Use HTTP Redirects Create abstraction layer / endpoints when migrating Use well defined custom Media Types Learn more at Stormpath.com

85 Sign Up Now: Stormpath.com
Free for developers Eliminate months of development Automatic security best practices Sign Up Now: Stormpath.com

Download ppt "Beautiful REST + JSON APIs"

Similar presentations

Give it a REST already Arnon Rotem-Gal-Oz VP R&D xsights www.xsights.com www.rgoarchitects.com/nblog.

Give it a REST already Arnon Rotem-Gal-Oz VP R&D xsights
REST Vs. SOAP.

REST Vs. SOAP.
Introduction to Web Services

Introduction to Web Services
REST &.NET James Crisp.NET Practice Lead ThoughtWorks Australia.

REST &.NET James Crisp.NET Practice Lead ThoughtWorks Australia.
Server Access The REST of the Story David Cleary

Server Access The REST of the Story David Cleary
REST (Representational State Transfer)

REST (Representational State Transfer)
Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
Building RESTful Interfaces

Building RESTful Interfaces
REST support for B2B access to your AppServer PUG Challenge Americas - 2014 Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.

REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.

 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Designing and Implementing Web Data Services in Perl

Designing and Implementing Web Data Services in Perl
Web Architecture & Services (2) Representational State Transfer (REST)

Web Architecture & Services (2) Representational State Transfer (REST)
REST.  REST is an acronym standing for Representational State Transfer  A software architecture style for building scalable web services  Typically,

REST.  REST is an acronym standing for Representational State Transfer  A software architecture style for building scalable web services  Typically,
CollectionSpace Service REST-based APIs June 2009 Face-to-face Aron Roberts U.C. Berkeley IST/Data Services.

CollectionSpace Service REST-based APIs June 2009 Face-to-face Aron Roberts U.C. Berkeley IST/Data Services.
MINT Working Group Jan 9-10 at Harris FBC Melbourne, FL.

MINT Working Group Jan 9-10 at Harris FBC Melbourne, FL.
REST - Introduction Based on material from InfoQ.com (Stefan Tilkov) And slides from MindTouch.com (Steve Bjorg) 1.

REST - Introduction Based on material from InfoQ.com (Stefan Tilkov) And slides from MindTouch.com (Steve Bjorg) 1.
Introduction to the SharePoint 2013 REST API. 2 About Me SharePoint Solutions Architect at Sparkhound in Baton Rouge

Introduction to the SharePoint 2013 REST API. 2 About Me SharePoint Solutions Architect at Sparkhound in Baton Rouge
A Limited Definition of Web Services Paul Kopacz CIS*6650.01 Service Oriented Architecture Instructor: Qusay H. Mahmoud, Ph.D. February.

A Limited Definition of Web Services Paul Kopacz CIS* Service Oriented Architecture Instructor: Qusay H. Mahmoud, Ph.D. February.

Similar presentations

Ads by Google