Your SlideShare is downloading. ×
0
REST, JSON and OAuth      Ikai Lan - @ikai      Esto es Google      August 9th, 2011
About the speaker• Developer Relations at Google based out  of San Francisco, CA• Focus: App Engine + Cloud• Twitter: @ika...
About the speakerBIOGRAFÍA: Ikai es ingeniero de Desarrollo deProgramas en el motor de Google App. Antes deGoogle, trabajó...
About the speakerBIOGRAFÍA: Ikai es ingeniero de Desarrollo deProgramas en el motor de Google App. Antes deGoogle, trabajó...
This talk ...• Is mostly language independent• Can be very basic, but reviews are always  good
Agenda• Learn about REST, JSON and OAuth• Leave this talk understanding the  fundamentals of these standards
Tools of the trade          JSON   RESTOAuth
RESTREpresentational State Transfer
REST in actionInvoking remote methods via HTTPGET /calendar/123POST /calendar/456PUT /calendar/888DELETE /calendar/123/eve...
HTTP verbs as actions  Verb          Description  GET        Reading an object POST      Creating a new object  PUT     Ed...
Anatomy of a a REST       requestPUT /item/1           VERB and RESOURCEAccept: application/jsonsomeValue=someNewValue&sec...
Anatomy of a a REST        requestPUT /item/1Accept: application/jsonsomeValue=someNewValue&secondValue     Accepts header...
Anatomy of a a REST        requestPUT /item/1Accept: application/jsonsomeValue=someNewValue&secondValue=678          Payload
Why REST?• Builds on existing standards - almost all  languages with HTTP client are compatible• Server side: maps very we...
JSON - the language of          the web{    "version": "1.0",    "encoding": "UTF-8",     "author": [{       "name": {"$t"...
It’s just a Javascript           object• Used in APIs to transfer data• Can be nested• Originally used for AJAX, now used ...
vs. XML{    "version": "1.0",    "encoding": "UTF-8",     "author": [{       "name": {"$t": "Google Developer Calendar"}, ...
vs. XML{    "version": "1.0",    "encoding": "UTF-8",     "author": [{                 FIGHT!!!       "name": {"$t": "Goog...
vs. XML• XML is structured, provides validation• JSON is more compact, easier to generate  and parse• JSON maps very well ...
Python example# Python 2.6import jsondata = { "key" : 123 }json_value = json.dumps(data)data_restored = json.loads(json_va...
Transport + protocolWhat else do we need?
Authentication
Authorization
Your guest key for the      internet!
Some Google APIs
Some Google APIs Contacts
Some Google APIs Contacts      Calendar
Some Google APIs Contacts      Calendar  Picasa   Web
Some Google APIs Contacts      Calendar  Picasa               YouTube   Web
Why not just ask for the  user’s password?
Because it’s bad.• You train users to give their passwords to  third party sites• Once you do this, users cannot revoke  t...
SaaSy PayrollOur example app that uses OAuth sowe can do things with Google APIs on         behalf of the user
The OAuth Dance!
The OAuth Dance!     User visits SaaSy Payroll
The OAuth Dance!               User visits SaaSy Payroll  SaaSy Payroll asks user to authorize data at Google
The OAuth Dance!               User visits SaaSy Payroll  SaaSy Payroll asks user to authorize data at Google            U...
The OAuth Dance!                 User visits SaaSy Payroll   SaaSy Payroll asks user to authorize data at Google          ...
The OAuth Dance!                 User visits SaaSy Payroll   SaaSy Payroll asks user to authorize data at Google          ...
The OAuth Dance!                   User visits SaaSy Payroll     SaaSy Payroll asks user to authorize data at Google      ...
The Whole Flow (Continued)
The Whole Flow (Continued)     SaaSy Payroll accesses Google Calendar using access_token
The Whole Flow (Continued)     SaaSy Payroll accesses Google Calendar using access_token                Google returns pro...
The Whole Flow (Continued)     SaaSy Payroll accesses Google Calendar using access_token                Google returns pro...
The Whole Flow (Continued)     SaaSy Payroll accesses Google Calendar using access_token                Google returns pro...
The Whole Flow (Continued)     SaaSy Payroll accesses Google Calendar using access_token                Google returns pro...
SaaSy Payroll
Access Control Grant
Payroll on the Calendar         Ikai’s Calendar
Calling an OAuth APIApplication makes a HTTP GET or HTTP POST request to the servercontaining the protected resource, incl...
It’s all on top ofstandard HTTP
Our goals met!• We built an integrated, robust app that can  directly manipulate a user’s Google  Calendar• Never have to ...
RecapJSON           OAuth        REST
REST - transport   standard on HTTPGET /calendar/123POST /calendar/456PUT /calendar/888DELETE /calendar/123/event/678
JSON - the language of          the web{    "version": "1.0",    "encoding": "UTF-8",     "author": [{       "name": {"$t"...
OAuth - third party        auth• Valet key for the internet• Key terms: OAuth dance, 3 legged oauth• consumer key, consume...
A recipe for great apps!
Questions?• Read about OAuth: http://oauth.net/• Google+: http://plus.ikailan.com• Twitter: @ikai
2011 august-gdd-mexico-city-rest-json-oauth
2011 august-gdd-mexico-city-rest-json-oauth
2011 august-gdd-mexico-city-rest-json-oauth
Upcoming SlideShare
Loading in...5
×

2011 august-gdd-mexico-city-rest-json-oauth

1,355

Published on

Slides for my "Esto es Google" talk about REST, JSON and OAuth

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,355
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript of "2011 august-gdd-mexico-city-rest-json-oauth"

    1. 1. REST, JSON and OAuth Ikai Lan - @ikai Esto es Google August 9th, 2011
    2. 2. About the speaker• Developer Relations at Google based out of San Francisco, CA• Focus: App Engine + Cloud• Twitter: @ikai• Google+: plus.ikailan.com
    3. 3. About the speakerBIOGRAFÍA: Ikai es ingeniero de Desarrollo deProgramas en el motor de Google App. Antes deGoogle, trabajó como ingeniero programadorconstruyendo aplicaciones para móviles y redessociales en LinkedIn. Ikai es un ávido de latecnología, consumiendo cantidades de materialacerca de nuevos lenguajes de programación,estructuras o servicios. En sus ratos libres disfrutade California, ganando concursos de karaokechino y jugando futbol de bandera. Actualmentevive en el área de la Bahía de San Francisco,donde agoniza viendo como su equipo favoritoexplota temporada tras temporada. English original: http://code.google.com/team/
    4. 4. About the speakerBIOGRAFÍA: Ikai es ingeniero de Desarrollo deProgramas en el motor de Google App. Antes deGoogle, trabajó como ingeniero programadorconstruyendo aplicaciones para móviles y redessociales en LinkedIn. Ikai es un ávido de latecnología, consumiendo cantidades de materialacerca de nuevos lenguajes de programación,estructuras o servicios. En sus ratos libres disfrutade California, ganando concursos de karaokechino y jugando futbol de bandera. Actualmentevive en el área de la Bahía de San Francisco,donde agoniza viendo como su equipo favoritoexplota temporada tras temporada. !!! English original: http://code.google.com/team/
    5. 5. This talk ...• Is mostly language independent• Can be very basic, but reviews are always good
    6. 6. Agenda• Learn about REST, JSON and OAuth• Leave this talk understanding the fundamentals of these standards
    7. 7. Tools of the trade JSON RESTOAuth
    8. 8. RESTREpresentational State Transfer
    9. 9. REST in actionInvoking remote methods via HTTPGET /calendar/123POST /calendar/456PUT /calendar/888DELETE /calendar/123/event/678
    10. 10. HTTP verbs as actions Verb Description GET Reading an object POST Creating a new object PUT Editing an existing object DELETE Deleting an object
    11. 11. Anatomy of a a REST requestPUT /item/1 VERB and RESOURCEAccept: application/jsonsomeValue=someNewValue&secondValue=678
    12. 12. Anatomy of a a REST requestPUT /item/1Accept: application/jsonsomeValue=someNewValue&secondValue Accepts header=678
    13. 13. Anatomy of a a REST requestPUT /item/1Accept: application/jsonsomeValue=someNewValue&secondValue=678 Payload
    14. 14. Why REST?• Builds on existing standards - almost all languages with HTTP client are compatible• Server side: maps very well to web frameworks because of URI routing• Simple to implement, simple to debug
    15. 15. JSON - the language of the web{ "version": "1.0", "encoding": "UTF-8", "author": [{ "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]}
    16. 16. It’s just a Javascript object• Used in APIs to transfer data• Can be nested• Originally used for AJAX, now used for server to server communications
    17. 17. vs. XML{ "version": "1.0", "encoding": "UTF-8", "author": [{ "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]} <?xml version="1.0" encoding="UTF-8" ?> <author> <name>Google Developer Calendar</name> <email>developer-calendar@google.com</ email> </author> </feed>
    18. 18. vs. XML{ "version": "1.0", "encoding": "UTF-8", "author": [{ FIGHT!!! "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]} <?xml version="1.0" encoding="UTF-8" ?> <author> <name>Google Developer Calendar</name> <email>developer-calendar@google.com</ email> </author> </feed>
    19. 19. vs. XML• XML is structured, provides validation• JSON is more compact, easier to generate and parse• JSON maps very well to dictionary/hash object in many languages
    20. 20. Python example# Python 2.6import jsondata = { "key" : 123 }json_value = json.dumps(data)data_restored = json.loads(json_value) 
    21. 21. Transport + protocolWhat else do we need?
    22. 22. Authentication
    23. 23. Authorization
    24. 24. Your guest key for the internet!
    25. 25. Some Google APIs
    26. 26. Some Google APIs Contacts
    27. 27. Some Google APIs Contacts Calendar
    28. 28. Some Google APIs Contacts Calendar Picasa Web
    29. 29. Some Google APIs Contacts Calendar Picasa YouTube Web
    30. 30. Why not just ask for the user’s password?
    31. 31. Because it’s bad.• You train users to give their passwords to third party sites• Once you do this, users cannot revoke third party site access without changing password• It’s really insecure and not flexible at all
    32. 32. SaaSy PayrollOur example app that uses OAuth sowe can do things with Google APIs on behalf of the user
    33. 33. The OAuth Dance!
    34. 34. The OAuth Dance! User visits SaaSy Payroll
    35. 35. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google
    36. 36. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app
    37. 37. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app Google tells user to return to SaaSy Payroll with code
    38. 38. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app Google tells user to return to SaaSy Payroll with code SaaSy Payroll asks Google for an access_token
    39. 39. The OAuth Dance! User visits SaaSy Payroll SaaSy Payroll asks user to authorize data at Google User grants data access to app Google tells user to return to SaaSy Payroll with code SaaSy Payroll asks Google for an access_token Google returns an access_token and a refresh_token
    40. 40. The Whole Flow (Continued)
    41. 41. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token
    42. 42. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data
    43. 43. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data Some time later
    44. 44. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data Some time later SaaSy Payroll asks google for a new access_token
    45. 45. The Whole Flow (Continued) SaaSy Payroll accesses Google Calendar using access_token Google returns protected data Some time later SaaSy Payroll asks google for a new access_token Google returns a new access_token
    46. 46. SaaSy Payroll
    47. 47. Access Control Grant
    48. 48. Payroll on the Calendar Ikai’s Calendar
    49. 49. Calling an OAuth APIApplication makes a HTTP GET or HTTP POST request to the servercontaining the protected resource, including an Authorization header.Additionally, the application specifies which user’s data it is trying to accessvia a xoauth_requestor_id query parameter.https://www.google.com/calendar/feeds/default/private /full?xoauth_requestor_id=<email address>Header:Authorization: OAuth oauth_version=”1.0”, oauth_nonce=”1cbf231409dad9a2341856”, oauth_timtestamp=”123456789”, oauth_consumer_key=”<consumer_key>”, oauth_signature_method=”HMAC-SHA1”, oauth_signature=”1qz%2F%2BfwtsuO”
    50. 50. It’s all on top ofstandard HTTP
    51. 51. Our goals met!• We built an integrated, robust app that can directly manipulate a user’s Google Calendar• Never have to ask user for Google password - secure!
    52. 52. RecapJSON OAuth REST
    53. 53. REST - transport standard on HTTPGET /calendar/123POST /calendar/456PUT /calendar/888DELETE /calendar/123/event/678
    54. 54. JSON - the language of the web{ "version": "1.0", "encoding": "UTF-8", "author": [{ "name": {"$t": "Google Developer Calendar"}, "email": {"$t": "developer-calendar@google.com"} }]}
    55. 55. OAuth - third party auth• Valet key for the internet• Key terms: OAuth dance, 3 legged oauth• consumer key, consumer secret, access token, access token secret
    56. 56. A recipe for great apps!
    57. 57. Questions?• Read about OAuth: http://oauth.net/• Google+: http://plus.ikailan.com• Twitter: @ikai
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×