2011 august-gdd-mexico-city-rest-json-oauth

1,579 views
1,488 views

Published on

Slides for my "Esto es Google" talk about REST, JSON and OAuth

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,579
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
21
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • 2011 august-gdd-mexico-city-rest-json-oauth

    1. 1. REST, JSON and OAuth Ikai Lan - @ikai Esto es Google August 9th, 2011
    2. 2. About the speaker• Developer Relations at Google based out of San Francisco, CA• Focus: App Engine + Cloud• Twitter: @ikai• Google+: plus.ikailan.com
    3. 3. About the speakerBIOGRAFÍA: Ikai es ingeniero de Desarrollo deProgramas en el motor de Google App. Antes deGoogle, trabajó como ingeniero programadorconstruyendo aplicaciones para móviles y redessociales en LinkedIn. Ikai es un ávido de latecnología, consumiendo cantidades de materialacerca de nuevos lenguajes de programación,estructuras o servicios. En sus ratos libres disfrutade California, ganando concursos de karaokechino y jugando futbol de bandera. Actualmentevive en el área de la Bahía de San Francisco,donde agoniza viendo como su equipo favoritoexplota temporada tras temporada. English original: http://code.google.com/team/
    4. 4. About the speakerBIOGRAFÍA: Ikai es ingeniero de Desarrollo deProgramas en el motor de Google App. Antes deGoogle, trabajó como ingeniero programadorconstruyendo aplicaciones para móviles y redessociales en LinkedIn. Ikai es un ávido de latecnología, consumiendo cantidades de materialacerca de nuevos lenguajes de programación,estructuras o servicios. En sus ratos libres disfrutade California, ganando concursos de karaokechino y jugando futbol de bandera. Actualmentevive en el área de la Bahía de San Francisco,donde agoniza viendo como su equipo favoritoexplota temporada tras temporada. !!! English original: http://code.google.com/team/
    5. 5. This talk ...• Is mostly language independent• Can be very basic, but reviews are always good
    6. 6. Agenda• Learn about REST, JSON and OAuth• Leave this talk understanding the fundamentals of these standards
    7. 7. Tools of the trade JSON RESTOAuth
    8. 8. RESTREpresentational State Transfer
    9. 9. REST in actionInvoking remote methods via HTTPGET /calendar/123POST /calendar/456PUT /calendar/888DELETE /calendar/123/event/678
    10. 10. HTTP verbs as actions Verb Description GET Reading an object POST Creating a new object PUT Editing an existing object DELETE Deleting an object
    11. 11. Anatomy of a a REST requestPUT /item/1 VERB and RESOURCEAccept: application/jsonsomeValue=someNewValue&secondValue=678
    12. 12. Anatomy of a a REST requestPUT /item/1Accept: application/jsonsomeValue=someNewValue&secondValue Accepts header=678
    13. 13. Anatomy of a a REST requestPUT /item/1Accept: application/jsonsomeValue=someNewValue&secondValue=678 Payload
    14. 14. Why REST?• Builds on existing standards - almost all languages with HTTP client are compatible• Server side: maps very well to web frameworks because of URI routing• Simple to implement, simple to debug
    15. 15. JSON - the language of the web{ "version": "1.0", "encoding": "UTF-8", "author": [{ "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]}
    16. 16. It’s just a Javascript object• Used in APIs to transfer data• Can be nested• Originally used for AJAX, now used for server to server communications
    17. 17. vs. XML{ "version": "1.0", "encoding": "UTF-8", "author": [{ "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]} <?xml version="1.0" encoding="UTF-8" ?> <author> <name>Google Developer Calendar</name> <email>developer-calendar@google.com</ email> </author> </feed>
    18. 18. vs. XML{ "version": "1.0", "encoding": "UTF-8", "author": [{ FIGHT!!! "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]} <?xml version="1.0" encoding="UTF-8" ?> <author> <name>Google Developer Calendar</name> <email>developer-calendar@google.com</ email> </author> </feed>
    19. 19. vs. XML• XML is structured, provides validation• JSON is more compact, easier to generate and parse• JSON maps very well to dictionary/hash object in many languages
    20. 20. Python example# Python 2.6import jsondata = { "key" : 123 }json_value = json.dumps(data)data_restored = json.loads(json_value) 
    21. 21. Transport + protocolWhat else do we need?
    22. 22. Authentication
    23. 23. Authorization
    24. 24. Your guest key for the internet!
    25. 25. Some Google APIs
    26. 26. Some Google APIs Contacts
    27. 27. Some Google APIs Contacts Calendar
    28. 28. Some Google APIs Contacts Calendar Picasa Web
    29. 29. Some Google APIs Contacts Calendar Picasa YouTube Web
    30. 30. Why not just ask for the user’s password?
    31. 31. Because it’s bad.• You train users to give their passwords to third party sites• Once you do this, users cannot revoke third party site access without changing password• It’s really insecure and not flexible at all
    32. 32. SaaSy PayrollOur example app that uses OAuth sowe can do things with Google APIs on behalf of the user
    33. 33. The OAuth Dance!
    34. 34. The OAuth Dance! User visits SaaSy Payroll
    35. 35. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google
    36. 36. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app
    37. 37. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app Google tells user to return to SaaSy Payroll with code
    38. 38. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app Google tells user to return to SaaSy Payroll with code SaaSy Payroll asks Google for an access_token
    39. 39. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app Google tells user to return to SaaSy Payroll with code SaaSy Payroll asks Google for an access_token Google returns an access_token and a refresh_token
    40. 40. The Whole Flow (Continued)
    41. 41. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token
    42. 42. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data
    43. 43. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data Some time later
    44. 44. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data Some time later SaaSy Payroll asks google for a new access_token
    45. 45. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data Some time later SaaSy Payroll asks google for a new access_token Google returns a new access_token
    46. 46. SaaSy Payroll
    47. 47. Access Control Grant
    48. 48. Payroll on the Calendar Ikai’s Calendar
    49. 49. Calling an OAuth APIApplication makes a HTTP GET or HTTP POST request to the servercontaining the protected resource, including an Authorization header.Additionally, the application specifies which user’s data it is trying to accessvia a xoauth_requestor_id query parameter.https://www.google.com/calendar/feeds/default/private /full?xoauth_requestor_id=<email address>Header:Authorization: OAuth oauth_version=”1.0”, oauth_nonce=”1cbf231409dad9a2341856”, oauth_timtestamp=”123456789”, oauth_consumer_key=”<consumer_key>”, oauth_signature_method=”HMAC-SHA1”, oauth_signature=”1qz%2F%2BfwtsuO”
    50. 50. It’s all on top ofstandard HTTP
    51. 51. Our goals met!• We built an integrated, robust app that can directly manipulate a user’s Google Calendar• Never have to ask user for Google password - secure!
    52. 52. RecapJSON OAuth REST
    53. 53. REST - transport standard on HTTPGET /calendar/123POST /calendar/456PUT /calendar/888DELETE /calendar/123/event/678
    54. 54. JSON - the language of the web{ "version": "1.0", "encoding": "UTF-8", "author": [{ "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]}
    55. 55. OAuth - third party auth• Valet key for the internet• Key terms: OAuth dance, 3 legged oauth• consumer key, consumer secret, access token, access token secret
    56. 56. A recipe for great apps!
    57. 57. Questions?• Read about OAuth: http://oauth.net/• Google+: http://plus.ikailan.com• Twitter: @ikai

    ×