2011 august-gdd-mexico-city-rest-json-oauth
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

2011 august-gdd-mexico-city-rest-json-oauth

  • 1,547 views
Uploaded on

Slides for my "Esto es Google" talk about REST, JSON and OAuth

Slides for my "Esto es Google" talk about REST, JSON and OAuth

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,547
On Slideshare
1,547
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
20
Comments
0
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

Transcript

  • 1. REST, JSON and OAuth Ikai Lan - @ikai Esto es Google August 9th, 2011
  • 2. About the speaker• Developer Relations at Google based out of San Francisco, CA• Focus: App Engine + Cloud• Twitter: @ikai• Google+: plus.ikailan.com
  • 3. About the speakerBIOGRAFÍA: Ikai es ingeniero de Desarrollo deProgramas en el motor de Google App. Antes deGoogle, trabajó como ingeniero programadorconstruyendo aplicaciones para móviles y redessociales en LinkedIn. Ikai es un ávido de latecnología, consumiendo cantidades de materialacerca de nuevos lenguajes de programación,estructuras o servicios. En sus ratos libres disfrutade California, ganando concursos de karaokechino y jugando futbol de bandera. Actualmentevive en el área de la Bahía de San Francisco,donde agoniza viendo como su equipo favoritoexplota temporada tras temporada. English original: http://code.google.com/team/
  • 4. About the speakerBIOGRAFÍA: Ikai es ingeniero de Desarrollo deProgramas en el motor de Google App. Antes deGoogle, trabajó como ingeniero programadorconstruyendo aplicaciones para móviles y redessociales en LinkedIn. Ikai es un ávido de latecnología, consumiendo cantidades de materialacerca de nuevos lenguajes de programación,estructuras o servicios. En sus ratos libres disfrutade California, ganando concursos de karaokechino y jugando futbol de bandera. Actualmentevive en el área de la Bahía de San Francisco,donde agoniza viendo como su equipo favoritoexplota temporada tras temporada. !!! English original: http://code.google.com/team/
  • 5. This talk ...• Is mostly language independent• Can be very basic, but reviews are always good
  • 6. Agenda• Learn about REST, JSON and OAuth• Leave this talk understanding the fundamentals of these standards
  • 7. Tools of the trade JSON RESTOAuth
  • 8. RESTREpresentational State Transfer
  • 9. REST in actionInvoking remote methods via HTTPGET /calendar/123POST /calendar/456PUT /calendar/888DELETE /calendar/123/event/678
  • 10. HTTP verbs as actions Verb Description GET Reading an object POST Creating a new object PUT Editing an existing object DELETE Deleting an object
  • 11. Anatomy of a a REST requestPUT /item/1 VERB and RESOURCEAccept: application/jsonsomeValue=someNewValue&secondValue=678
  • 12. Anatomy of a a REST requestPUT /item/1Accept: application/jsonsomeValue=someNewValue&secondValue Accepts header=678
  • 13. Anatomy of a a REST requestPUT /item/1Accept: application/jsonsomeValue=someNewValue&secondValue=678 Payload
  • 14. Why REST?• Builds on existing standards - almost all languages with HTTP client are compatible• Server side: maps very well to web frameworks because of URI routing• Simple to implement, simple to debug
  • 15. JSON - the language of the web{ "version": "1.0", "encoding": "UTF-8", "author": [{ "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]}
  • 16. It’s just a Javascript object• Used in APIs to transfer data• Can be nested• Originally used for AJAX, now used for server to server communications
  • 17. vs. XML{ "version": "1.0", "encoding": "UTF-8", "author": [{ "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]} <?xml version="1.0" encoding="UTF-8" ?> <author> <name>Google Developer Calendar</name> <email>developer-calendar@google.com</ email> </author> </feed>
  • 18. vs. XML{ "version": "1.0", "encoding": "UTF-8", "author": [{ FIGHT!!! "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]} <?xml version="1.0" encoding="UTF-8" ?> <author> <name>Google Developer Calendar</name> <email>developer-calendar@google.com</ email> </author> </feed>
  • 19. vs. XML• XML is structured, provides validation• JSON is more compact, easier to generate and parse• JSON maps very well to dictionary/hash object in many languages
  • 20. Python example# Python 2.6import jsondata = { "key" : 123 }json_value = json.dumps(data)data_restored = json.loads(json_value) 
  • 21. Transport + protocolWhat else do we need?
  • 22. Authentication
  • 23. Authorization
  • 24. Your guest key for the internet!
  • 25. Some Google APIs
  • 26. Some Google APIs Contacts
  • 27. Some Google APIs Contacts Calendar
  • 28. Some Google APIs Contacts Calendar Picasa Web
  • 29. Some Google APIs Contacts Calendar Picasa YouTube Web
  • 30. Why not just ask for the user’s password?
  • 31. Because it’s bad.• You train users to give their passwords to third party sites• Once you do this, users cannot revoke third party site access without changing password• It’s really insecure and not flexible at all
  • 32. SaaSy PayrollOur example app that uses OAuth sowe can do things with Google APIs on behalf of the user
  • 33. The OAuth Dance!
  • 34. The OAuth Dance! User visits SaaSy Payroll
  • 35. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google
  • 36. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app
  • 37. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app Google tells user to return to SaaSy Payroll with code
  • 38. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app Google tells user to return to SaaSy Payroll with code SaaSy Payroll asks Google for an access_token
  • 39. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app Google tells user to return to SaaSy Payroll with code SaaSy Payroll asks Google for an access_token Google returns an access_token and a refresh_token
  • 40. The Whole Flow (Continued)
  • 41. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token
  • 42. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data
  • 43. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data Some time later
  • 44. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data Some time later SaaSy Payroll asks google for a new access_token
  • 45. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data Some time later SaaSy Payroll asks google for a new access_token Google returns a new access_token
  • 46. SaaSy Payroll
  • 47. Access Control Grant
  • 48. Payroll on the Calendar Ikai’s Calendar
  • 49. Calling an OAuth APIApplication makes a HTTP GET or HTTP POST request to the servercontaining the protected resource, including an Authorization header.Additionally, the application specifies which user’s data it is trying to accessvia a xoauth_requestor_id query parameter.https://www.google.com/calendar/feeds/default/private /full?xoauth_requestor_id=<email address>Header:Authorization: OAuth oauth_version=”1.0”, oauth_nonce=”1cbf231409dad9a2341856”, oauth_timtestamp=”123456789”, oauth_consumer_key=”<consumer_key>”, oauth_signature_method=”HMAC-SHA1”, oauth_signature=”1qz%2F%2BfwtsuO”
  • 50. It’s all on top ofstandard HTTP
  • 51. Our goals met!• We built an integrated, robust app that can directly manipulate a user’s Google Calendar• Never have to ask user for Google password - secure!
  • 52. RecapJSON OAuth REST
  • 53. REST - transport standard on HTTPGET /calendar/123POST /calendar/456PUT /calendar/888DELETE /calendar/123/event/678
  • 54. JSON - the language of the web{ "version": "1.0", "encoding": "UTF-8", "author": [{ "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]}
  • 55. OAuth - third party auth• Valet key for the internet• Key terms: OAuth dance, 3 legged oauth• consumer key, consumer secret, access token, access token secret
  • 56. A recipe for great apps!
  • 57. Questions?• Read about OAuth: http://oauth.net/• Google+: http://plus.ikailan.com• Twitter: @ikai