Skyrocketing Web APIs

86
Skyrocketing Web APIs By making the right decisions Daniel Cerecedo @dcerecedo

TAGS:

Transcript of Skyrocketing Web APIs

Page 1: Skyrocketing Web APIs

Skyrocketing Web APIsBy making the right decisions

Daniel Cerecedo@dcerecedo

Page 2: Skyrocketing Web APIs

Why REST over HTTP?Why REST over HTTP?

@dcerecedoByteflair

Page 3: Skyrocketing Web APIs

Why REST over HTTP?Why REST over HTTP?

@dcerecedoByteflair

The limits of my language mean the limits of my world.

Everybody speaks HTTP

Page 4: Skyrocketing Web APIs

Developer UXDeveloper UX

@dcerecedoByteflair

HTTP is for browsers

Page 5: Skyrocketing Web APIs

Developer UXDeveloper UX

@dcerecedoByteflair

Developer in mind, not browsers

Page 6: Skyrocketing Web APIs

REST over HTTPREST over HTTP

@dcerecedoByteflair

ComponentsURIs

VerbsStatus Code

BodyHeaders

Page 7: Skyrocketing Web APIs

REST over HTTPREST over HTTP

@dcerecedoByteflair

Separate resource representation from contextual data

Representation Body→Contextual data Headers→

Page 8: Skyrocketing Web APIs

REST over HTTPREST over HTTP

@dcerecedoByteflair

HTTP status code to inform client about the result

2xx Ok→Other Ko→

4xx Client error→5xx Server error→

Page 9: Skyrocketing Web APIs

REST over HTTPREST over HTTP

@dcerecedoByteflair

Use best matching HTTP Status codes

Add specific application error codes to error responses

Page 10: Skyrocketing Web APIs

@dcerecedoByteflair

REST over HTTPREST over HTTP

Semantic of an API should be In the URI...but

Everybody thinks Verbs+URIs fit better on HTTP

Page 11: Skyrocketing Web APIs

@dcerecedoByteflair

REST over HTTPREST over HTTP

Page 12: Skyrocketing Web APIs

HypermediaHypermedia

@dcerecedoByteflair

Page 13: Skyrocketing Web APIs

HypermediaHypermedia

@dcerecedoByteflair

Applications can be modeled as state machines

Page 14: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

Page 15: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

Page 16: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

Model the problem domainIdentify domain resources

Identify resource state transitions

Page 17: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermediaDomain resources

VehiclesUsers

SessionsResource state transitions

Create resourcesAssign owner to vehicle

Activate session with driver & vehicleDeactivate session

Page 18: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

Define resource representation formatsMime Types

Define roles for each Hypermedia ControlRel Types

Page 19: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermediaGET /HeadersLink: <https://api.domain.com/vehicles>; rel=”vehicles”: <https://api.domain.com/users>; rel=”users”: <https://api.domain.com/sessions>; rel=”sessions”Body...

Page 20: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

GET /vehiclesHeadersLink: <https://api.domain.com/vehicles?page=1&size=20>; rel=”next”Body[ {... }, {…}, ...] Control links

Page 21: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

GET /sessions/1374Body{ ….

“vehicle”:”https://api.domain.com/vehicles/1”,“driver”:”https://api.domain.com/users/1”

}

These are also control links.

Use conventions to get full semantics!!

Page 22: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

GET /vehicles/1Body{ ….

“owner”:”https://api.domain.com/users/1”}

Relation types specify the role of the link

Page 23: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

GET /sessions/1374Body{ ….

“vehicle”:”https://api.domain.com/vehicles/1”,“driver”:”https://api.domain.com/persons/1”

}

Page 24: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

Let the client discover its resource access levelOptions

Page 25: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

ConventionsRel Types, Media Types, Methods, Status Codes

Page 26: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

Think as if you had to write a client and minimize the number of things you

have to know about the API beforehand

Page 27: Skyrocketing Web APIs

@dcerecedoByteflair

HypermediaHypermedia

A client and an API do not get decopupled

magically

Page 28: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

Page 29: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

We need different data access needs for the same resource depending on

the security context

Page 30: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

Any User resource can be fully viewed by an administrator

A logged in user can fully view his User resourceOther users can only see his public data

Scenario

Page 31: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

/users/{id}/owner/users/{id}/admin/users/{id}

One URI per role

Scenario

Page 32: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

/users/{id}/owner/users/{id}/admin/users/{id}

One URI per role

Scenario

Page 33: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

Partition the resourceGive different role access to each partition

Scenario

/users/{id}/users/{id}/my-private-data/users/{id}/data-about-me-only-the-admin-knows

Page 34: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

One URI per resourceSelect one view at runtime depending on the security

context

Scenario

/users/{id}

Page 35: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

1. Create a mechanism to define views2. Create a mechanism to define applicable views to a

resource3. Create a mechanism to define which view to apply

Page 36: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

1

Page 37: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

1

Page 38: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

2

Page 39: Skyrocketing Web APIs

Dynamic viewsDynamic views

@dcerecedoByteflair

3

Page 40: Skyrocketing Web APIs

Updates & ConcurrencyUpdates & Concurrency

@dcerecedoByteflair

Page 41: Skyrocketing Web APIs

@dcerecedoByteflair

Two clients attempt to update the same resource concurrently

Representation is the state of the application

I want to avoid the second request to update a resource from an inconsistent representation

Updates & ConcurrencyUpdates & ConcurrencyScenario

Page 42: Skyrocketing Web APIs

@dcerecedoByteflair

Compare incoming resource and existing resource...

Updates & ConcurrencyUpdates & ConcurrencyScenario

Page 43: Skyrocketing Web APIs

@dcerecedoByteflair

Compare incoming resource and existing resource...If unequal reject...

Updates & ConcurrencyUpdates & ConcurrencyScenario

Page 44: Skyrocketing Web APIs

@dcerecedoByteflair

Compare incoming resource and existing resource...If unequal reject...

If possible inform the user which fields violated the precondition

Updates & ConcurrencyScenario

Page 45: Skyrocketing Web APIs

@dcerecedoByteflair

If we have dynamic views, then the same resource may have different fields for different security contexts

Updates & ConcurrencyUpdates & Concurrency

Page 46: Skyrocketing Web APIs

@dcerecedoByteflair

What if we don't want all fields to be updatable?

What if we need fine grained access control to fields?

Updates & ConcurrencyUpdates & ConcurrencyScenario

Page 47: Skyrocketing Web APIs

@dcerecedoByteflair

1. We need a mechanism to associate security expresions to fields

2. We need a mechanism to evaluate security expresions before changing the value of a field

Updates & ConcurrencyUpdates & Concurrency

Page 48: Skyrocketing Web APIs

@dcerecedoByteflair

Updates & ConcurrencyUpdates & Concurrency1

Page 49: Skyrocketing Web APIs

@dcerecedoByteflair

Updates & ConcurrencyUpdates & Concurrency2

Page 50: Skyrocketing Web APIs

Async RequestsAsync Requests

@dcerecedoByteflair

Page 51: Skyrocketing Web APIs

Async RequestsAsync Requests

@dcerecedoByteflair

How do we deal with transitions that are intrinsically asynchronous?

Page 52: Skyrocketing Web APIs

Async RequestsAsync Requests

@dcerecedoByteflair

How do we identify intrinsically async transitions?

There are state transitions beyond your control

It does not make sense to return a resource because we don't know the state of the resource after invoking the

transition

Page 53: Skyrocketing Web APIs

Async RequestsAsync Requests

@dcerecedoByteflair

Trucks are regularly reviewed and marked for repairing

Scenario

Ok

NeedsRepair

Repaired

Awaiting

Page 54: Skyrocketing Web APIs

Async RequestsAsync Requests

@dcerecedoByteflair

Trucks are regularly reviewed and marked for repairing

Scenario

Ok

NeedsRepair

Repaired

Within my organizations control

Awaiting

Page 55: Skyrocketing Web APIs

Async RequestsAsync Requests

@dcerecedoByteflair

Trucks are regularly reviewed and marked for repairing

Scenario

Ok

NeedsRepair

Repaired

Within my organizations control

Awaiting

PUT /trucks/6/repair202 Accepted

Page 56: Skyrocketing Web APIs

Async RequestsAsync Requests

@dcerecedoByteflair

Trucks are regularly reviewed and marked for repairing

Scenario

Ok

NeedsRepair

Repaired

Within my organizations control

Awaiting

PUT /trucks/6/repair202 Accepted

Page 57: Skyrocketing Web APIs

Async RequestsAsync Requests

@dcerecedoByteflair

How do we deal with task intensive state transitions?

Page 58: Skyrocketing Web APIs

Async RequestsAsync Requests

@dcerecedoByteflair

How do we deal with task intensive state transitions?

We make them async

Page 59: Skyrocketing Web APIs

@dcerecedoByteflair

Flexibility & DecouplingFlexibility & Decoupling

Page 60: Skyrocketing Web APIs

@dcerecedoByteflair

Flexibility & DecouplingFlexibility & Decoupling

Mediation Router + Message Broker

Page 61: Skyrocketing Web APIs

@dcerecedoByteflair

Flexibility & DecouplingFlexibility & Decoupling

Mail Template

FromToSubject

Template nameAmazon

Mailchimp

Elastic Mail

Scenario

Page 62: Skyrocketing Web APIs

@dcerecedoByteflair

Flexibility & DecouplingFlexibility & DecouplingScenario

Page 63: Skyrocketing Web APIs

@dcerecedoByteflair

Flexibility & DecouplingFlexibility & DecouplingScenario

Page 64: Skyrocketing Web APIs

@dcerecedoByteflair

Speaking in silveri18ni18n

Page 65: Skyrocketing Web APIs

@dcerecedoByteflair

Speaking in silveri18ni18n

GET /i18n/es_ESBody{

“country” : “ES”,“lang”: “es”,“data” : { “key”: “localized message”, ….}

}

Single Page App

Page 66: Skyrocketing Web APIs

@dcerecedoByteflair

API SpecificationAPI Specification

Page 67: Skyrocketing Web APIs

@dcerecedoByteflair

Page 68: Skyrocketing Web APIs

Byteflair

SwaggerSwaggerAPI API SpecificationSpecification

Swagger editor:http://editor.swagger.io/

En local:https://github.com/Byteflair/docker-swagger-editor

docker pull byteflair/swagger-editor docker run -d -p <port>:9000 byteflair/swagger-editor

http://editor.swagger.io/
https://github.com/Byteflair/docker-swagger-editor
Page 69: Skyrocketing Web APIs

Byteflair

RAMLRAMLAPI API SpecificationSpecification

API Designer:http://api-portal.anypoint.mulesoft.com/raml/api-designer

Imagen Docker: https://github.com/Byteflair/docker-raml-editor

docker pull byteflair/raml-editordocker run -d -p <port>:9013 byteflair/raml-editor

http://api-portal.anypoint.mulesoft.com/raml/api-designer
https://github.com/Byteflair/docker-raml-editor
Page 70: Skyrocketing Web APIs

@dcerecedoByteflair

Oauth 2 CheatsheetOauth 2 Cheatsheet

Page 71: Skyrocketing Web APIs

@dcerecedoByteflair

Oauth 2 CheatsheetOauth 2 Cheatsheet

Client & User

User

Client

Trusted Untrusted

Page 72: Skyrocketing Web APIs

@dcerecedoByteflair

Oauth 2 CheatsheetOauth 2 Cheatsheet

Client & User

User

Client

Resource OwnerCredentials

Trusted UntrustedMy trusted native app

Page 73: Skyrocketing Web APIs

@dcerecedoByteflair

Oauth 2 CheatsheetOauth 2 Cheatsheet

Client & User

User

Client Client Credentials

Resource OwnerCredentials

Trusted Untrusted

A server app or CLI

Page 74: Skyrocketing Web APIs

@dcerecedoByteflair

Oauth 2 CheatsheetOauth 2 Cheatsheet

Client & User

User

Client

Authorization Code

Client Credentials

Resource OwnerCredentials

Trusted Untrusted

Third party apps

Page 75: Skyrocketing Web APIs

@dcerecedoByteflair

Oauth 2 CheatsheetOauth 2 Cheatsheet

Client & User

User

Client

Authorization CodeImplicit

Client Credentials

Resource OwnerCredentials

Trusted Untrusted

My single page app

Page 76: Skyrocketing Web APIs

@dcerecedoByteflair

Packaging & MonetizingPackaging & Monetizing

Page 77: Skyrocketing Web APIs

@dcerecedoByteflair

How to offer different products on top of the same API?

PackagingPackaging

Page 78: Skyrocketing Web APIs

@dcerecedoByteflair

How to offer different products on top of the same API?BUNDLING subsets of functionality

PackagingPackaging

Page 79: Skyrocketing Web APIs

@dcerecedoByteflair

How to offer different products on top of the same API?BUNDLING subsets of functionality

THROTTLING request

PackagingPackaging

Page 80: Skyrocketing Web APIs

@dcerecedoByteflair

How to offer different products on top of the same API?BUNDLING subsets of functionality

THROTTLING request

PackagingPackaging

Needs a proxy and means of updating policies

Page 81: Skyrocketing Web APIs

@dcerecedoByteflair

MonetizingMonetizing

Page 82: Skyrocketing Web APIs

@dcerecedoByteflair

ToolsTools

Page 83: Skyrocketing Web APIs

ToolsTools

@dcerecedoByteflair

Page 84: Skyrocketing Web APIs

@dcerecedoByteflair

“Weapons should be adapted to your personal qualities and be

one you can handle” Miyamoto Mushashi

Page 85: Skyrocketing Web APIs

@dcerecedoByteflair

Don't become an extremist

Page 86: Skyrocketing Web APIs

?Daniel Cerecedo

@dcerecedo

Thanks Gracias


Web APIs & Apps - Mozilla

Web APIs & Apps - Mozilla

Chapter 9: Web Services, APIs and Maswolber/bookChapters/App_Inventor_Ch_9.pdf · Chapter 9: Web Services, APIs and Mashing Data This chapter introduces web services, APIs, RSS, and

Chapter 9: Web Services, APIs and Maswolber/bookChapters/App_Inventor_Ch_9.pdf · Chapter 9: Web Services, APIs and Mashing Data This chapter introduces web services, APIs, RSS, and

Analyzing the Change-Proneness of APIs and web APIs · Analyzing the Change-Proneness of APIs and web APIs ... terns and code smells have been widely validated as ... and changes

Analyzing the Change-Proneness of APIs and web APIs · Analyzing the Change-Proneness of APIs and web APIs ... terns and code smells have been widely validated as ... and changes

Web Rangers e Power APIs

Web Rangers e Power APIs

Web Apis Do's and Don'ts

Web Apis Do's and Don'ts

Skyrocketing to the cloud with Windows Azure

Skyrocketing to the cloud with Windows Azure

Reinventing Web APIs with Falcor.NET

Reinventing Web APIs with Falcor.NET

The Best Web APIs are Web Sites

The Best Web APIs are Web Sites

Cloud-Con: Integration & Web APIs

Cloud-Con: Integration & Web APIs

Web APIs - Best practices

Web APIs - Best practices

Apis and-web-programming

Apis and-web-programming

Integrating WordPress With Web APIs

Integrating WordPress With Web APIs

Getting Started with ArcGIS Web Mapping APIs€¢ Web Mapping APIs communicates with REST services . Demo - REST . Common features of the Web Mapping APIs • Basemaps • Operational

Getting Started with ArcGIS Web Mapping APIs€¢ Web Mapping APIs communicates with REST services . Demo - REST . Common features of the Web Mapping APIs • Basemaps • Operational

Skyrocketing Cloud Careers

Skyrocketing Cloud Careers

Swaggered web apis in Clojure

Swaggered web apis in Clojure

HTML Hypermedia APIs and Adaptive Web Design - Nordic APIs

HTML Hypermedia APIs and Adaptive Web Design - Nordic APIs

From Web APIs to Cross-Device Web Sites

From Web APIs to Cross-Device Web Sites

Web APIs - Brigham Young University

Web APIs - Brigham Young University

Building Web APIs that Scale

Building Web APIs that Scale

Expanding APIs beyond the Web

Expanding APIs beyond the Web