This document summarizes an API workshop presentation focused on key topics in API design including API styles, usability, security, and architecture. The presentation discusses common API styles like tunnel, URI, hypermedia, and event-driven and how to choose a style based on constraints and goals. It emphasizes the importance of usability and a developer-centric design approach. The presentation also covers securing APIs using standards like OAuth and TLS and designing layered API architectures with elements like representation, caching, and orchestration layers. It compares API management to traditional SOA governance approaches.
12. Web APIs
Language Independent
APIs are constrained by the syntax of the web
Most API Design principles can be applied
Some design principles are unique to Web APIs
85. To ensure failure, make your API:
• difficult to understand
• dangerous to use (unsafe)
• unreliable and unstable
• opaque (provides no visibility)
111. Event Driven Style
• not HTTP-based
• resource intensive connections
• inefficient for request-reply
Trade-offs
112. API Styles Summary
• Web API != standard
• Four popular styles: Tunnel, URI,
Hypermedia, Event
• Choose a style that fits your constraints
and goals
157. API explorers and “live
documentation” can shorten the
gap between visibility and
feedback.
158. 1. Identify a Target Audience
2. Learn about the audience
3. Make API design choices that
are developer-centric
4. Prototype and get feedback
5. Iterate
How?
159. Focus on the interactions that take
place, rather than the interfaces
we expose
185. OAuth 2 Challenges
New attack surfaces
Flexible, but complex for API publishers to implement
Utilizes redirection URIs (should be validated with strong rules)
Poor implementations will be exposed (see Facebook)
Not a solution to user authentication
186. OpenID Connect
Identity Access and Authentication (when combined with Open ID)
Built on top of OAuth 2
Not tied to any single vendor or identity provider
187. Open ID, Open ID Connect and OAuth 2
OAuth 2 allows an end-user to grant an application access to protected resources
However:
- The authorization server must still authenticate the end-user
- The client application is unable to determine information about the end-user
Client Application
Resource Owner Authorization Server
User Agent
Send
User
Authentication
Form
?
Authenticate
188. OpenID Authentication can help the server authenticate the end-user
OpenID Connect provides a mechanism for the application to learn about the end-
user
Open ID, Open ID Connect and OAuth 2
Client Application
Resource Owner Authorization Server
User Agent
Send
OpenID
Authentication
Form
Authenticate
Retrieve User
Information
OpenID
Resource
Server
189.
190.
191.
192. Security Summary
• Keep focus on usability
• Utilize standards like OAuth and TLS
• Danger in poor implementations
213. Caching Layer
Caching happens EVERYWHERE
HTTP supports Expiration Model and Validation Model Caching
Expiration Model
- Expires
- Cache-Control: max-age
Validation Model
- Last-Modified
- Etag, If-Match
Be prepared to support caching for both client and server
Squid, Varnish, Nginx, MemCacheD, NSURLConnection etc.