Skyrocketing Web APIs
By making the right decisions
Daniel Cerecedo
@dcerecedo
Why REST over HTTP?Why REST over HTTP?
@dcerecedoByteflair
Why REST over HTTP?Why REST over HTTP?
@dcerecedoByteflair
The limits of my language mean the limits of my
world.
Everybod...
Developer UXDeveloper UX
@dcerecedoByteflair
HTTP is for browsers
Developer UXDeveloper UX
@dcerecedoByteflair
Developer in mind, not browsers
REST over HTTPREST over HTTP
@dcerecedoByteflair
Components
URIs
Verbs
StatusCode
Body
Headers
REST over HTTPREST over HTTP
@dcerecedoByteflair
Separate resource representation from
contextual data
Representation Body...
REST over HTTPREST over HTTP
@dcerecedoByteflair
HTTP status code to inform client about the
result
2xx Ok→
Other Ko→
4xx ...
REST over HTTPREST over HTTP
@dcerecedoByteflair
Use best matching HTTP Status codes
Add specific application error codes ...
@dcerecedoByteflair
REST over HTTPREST over HTTP
Semantic of an API should be In the URI
...but
Everybody thinks Verbs+URI...
@dcerecedoByteflair
REST over HTTPREST over HTTP
HypermediaHypermedia
@dcerecedoByteflair
HypermediaHypermedia
@dcerecedoByteflair
Applications can be modeled as state
machines
@dcerecedoByteflair
HypermediaHypermedia
@dcerecedoByteflair
HypermediaHypermedia
@dcerecedoByteflair
HypermediaHypermedia
Model the problem domain
Identifydomainresources
Identifyresourcestatetransitions
@dcerecedoByteflair
HypermediaHypermedia
Domain resources
Vehicles
Users
Sessions
Resource state transitions
Createresourc...
@dcerecedoByteflair
HypermediaHypermedia
Define resource representation formats
Mime Types
Define roles for each Hypermedi...
@dcerecedoByteflair
HypermediaHypermedia
GET /
Headers
Link:
<https://api.domain.com/vehicles>; rel=”vehicles”:
<https://a...
@dcerecedoByteflair
HypermediaHypermedia
GET /vehicles
Headers
Link:
<https://api.domain.com/vehicles?page=1&size=20>;
rel...
@dcerecedoByteflair
HypermediaHypermedia
GET /sessions/1374
Body
{ ….
“vehicle”:”https://api.domain.com/vehicles/1”,
“driv...
@dcerecedoByteflair
HypermediaHypermedia
GET /vehicles/1
Body
{ ….
“owner”:”https://api.domain.com/users/1”
}
Relation typ...
@dcerecedoByteflair
HypermediaHypermedia
GET /sessions/1374
Body
{ ….
“vehicle”:”https://api.domain.com/vehicles/1”,
“driv...
@dcerecedoByteflair
HypermediaHypermedia
Let the client discover its resource access level
Options
@dcerecedoByteflair
HypermediaHypermedia
Conventions
RelTypes,MediaTypes,Methods,StatusCodes
@dcerecedoByteflair
HypermediaHypermedia
Think as if you had to write a client and
minimize the number of things you
have ...
@dcerecedoByteflair
HypermediaHypermedia
A client and an API do
not get decopupled
magically
Dynamic viewsDynamic views
@dcerecedoByteflair
Dynamic viewsDynamic views
@dcerecedoByteflair
We need different data access needs
for the same resource depending on
the ...
Dynamic viewsDynamic views
@dcerecedoByteflair
AnyUserresourcecanbefullyviewedbyan
administrator
Aloggedinusercanfullyview...
Dynamic viewsDynamic views
@dcerecedoByteflair
/users/{id}
/owner/users/{id}
/admin/users/{id}
OneURIperrole
Scenario
Dynamic viewsDynamic views
@dcerecedoByteflair
/users/{id}
/owner/users/{id}
/admin/users/{id}
OneURIperrole
Scenario
Dynamic viewsDynamic views
@dcerecedoByteflair
Partitiontheresource
Givedifferentroleaccesstoeachpartition
Scenario
/users...
Dynamic viewsDynamic views
@dcerecedoByteflair
OneURIperresource
Selectoneviewatruntimedependingonthesecurity
context
Scen...
Dynamic viewsDynamic views
@dcerecedoByteflair
1.Createamechanismtodefineviews
2.Createamechanismtodefineapplicableviewsto...
Dynamic viewsDynamic views
@dcerecedoByteflair
1
Dynamic viewsDynamic views
@dcerecedoByteflair
1
Dynamic viewsDynamic views
@dcerecedoByteflair
2
Dynamic viewsDynamic views
@dcerecedoByteflair
3
Updates & ConcurrencyUpdates & Concurrency
@dcerecedoByteflair
@dcerecedoByteflair
Twoclientsattempttoupdatethesameresource
concurrently
Representationisthestateoftheapplication
Iwantto...
@dcerecedoByteflair
Compareincomingresourceandexistingresource...
Updates & ConcurrencyUpdates & Concurrency
Scenario
@dcerecedoByteflair
Compareincomingresourceandexistingresource...
Ifunequalreject...
Updates & ConcurrencyUpdates & Concur...
@dcerecedoByteflair
Compareincomingresourceandexistingresource...
Ifunequalreject...
Ifpossibleinformtheuserwhichfieldsvio...
@dcerecedoByteflair
Ifwehavedynamicviews,thenthesameresourcemay
havedifferentfieldsfordifferentsecuritycontexts
Updates & ...
@dcerecedoByteflair
Whatifwedon'twantallfieldstobeupdatable?
Whatifweneedfinegrainedaccesscontroltofields?
Updates & Concu...
@dcerecedoByteflair
1.Weneedamechanismtoassociatesecurity
expresionstofields
2.Weneedamechanismtoevaluatesecurity
expresio...
@dcerecedoByteflair
Updates & ConcurrencyUpdates & Concurrency
1
@dcerecedoByteflair
Updates & ConcurrencyUpdates & Concurrency
2
Async RequestsAsync Requests
@dcerecedoByteflair
Async RequestsAsync Requests
@dcerecedoByteflair
Howdowedealwithtransitionsthatareintrinsically
asynchronous?
Async RequestsAsync Requests
@dcerecedoByteflair
Howdoweidentifyintrinsicallyasynctransitions?
Therearestatetransitionsbey...
Async RequestsAsync Requests
@dcerecedoByteflair
Trucksareregularlyreviewedandmarkedforrepairing
Scenario
Ok
Needs
Repair
...
Async RequestsAsync Requests
@dcerecedoByteflair
Trucksareregularlyreviewedandmarkedforrepairing
Scenario
Ok
Needs
Repair
...
Async RequestsAsync Requests
@dcerecedoByteflair
Trucksareregularlyreviewedandmarkedforrepairing
Scenario
Ok
Needs
Repair
...
Async RequestsAsync Requests
@dcerecedoByteflair
Trucksareregularlyreviewedandmarkedforrepairing
Scenario
Ok
Needs
Repair
...
Async RequestsAsync Requests
@dcerecedoByteflair
Howdowedealwithtaskintensivestatetransitions?
Async RequestsAsync Requests
@dcerecedoByteflair
Howdowedealwithtaskintensivestatetransitions?
Wemakethemasync
@dcerecedoByteflair
Flexibility & DecouplingFlexibility & Decoupling
@dcerecedoByteflair
Flexibility & DecouplingFlexibility & Decoupling
MediationRouter+MessageBroker
@dcerecedoByteflair
Flexibility & DecouplingFlexibility & Decoupling
Mail Template
From
To
Subject
Template name
Amazon
Ma...
@dcerecedoByteflair
Flexibility & DecouplingFlexibility & Decoupling
Scenario
@dcerecedoByteflair
Flexibility & DecouplingFlexibility & Decoupling
Scenario
@dcerecedoByteflair
Speakinginsilver
i18ni18n
@dcerecedoByteflair
Speakinginsilver
i18ni18n
GET /i18n/es_ES
Body
{
“country” : “ES”,
“lang”: “es”,
“data” : { “key”: “lo...
@dcerecedoByteflair
API SpecificationAPI Specification
@dcerecedoByteflair
Byteflair
SwaggerSwagger
APIAPI SpecificationSpecification
Swagger editor:
http://editor.swagger.io/
En local:
https://git...
Byteflair
RAMLRAML
APIAPI SpecificationSpecification
API Designer:
http://api-portal.anypoint.mulesoft.com/raml/api-design...
@dcerecedoByteflair
Oauth 2 CheatsheetOauth 2 Cheatsheet
@dcerecedoByteflair
Oauth 2 CheatsheetOauth 2 Cheatsheet
Client&User
User
Client
Trusted Untrusted
@dcerecedoByteflair
Oauth 2 CheatsheetOauth 2 Cheatsheet
Client&User
User
Client
Resource Owner
Credentials
Trusted Untrus...
@dcerecedoByteflair
Oauth 2 CheatsheetOauth 2 Cheatsheet
Client&User
User
Client Client Credentials
Resource Owner
Credent...
@dcerecedoByteflair
Oauth 2 CheatsheetOauth 2 Cheatsheet
Client&User
User
Client
Authorization Code
Client Credentials
Res...
@dcerecedoByteflair
Oauth 2 CheatsheetOauth 2 Cheatsheet
Client&User
User
Client
Authorization Code
Implicit
Client Creden...
@dcerecedoByteflair
Packaging & MonetizingPackaging & Monetizing
@dcerecedoByteflair
HowtoofferdifferentproductsontopofthesameAPI?
PackagingPackaging
@dcerecedoByteflair
HowtoofferdifferentproductsontopofthesameAPI?
BUNDLING subsetsoffunctionality
PackagingPackaging
@dcerecedoByteflair
HowtoofferdifferentproductsontopofthesameAPI?
BUNDLING subsetsoffunctionality
THROTTLING request
Packa...
@dcerecedoByteflair
HowtoofferdifferentproductsontopofthesameAPI?
BUNDLING subsetsoffunctionality
THROTTLING request
Packa...
@dcerecedoByteflair
MonetizingMonetizing
@dcerecedoByteflair
ToolsTools
ToolsTools
@dcerecedoByteflair
@dcerecedoByteflair
“Weapons should be adapted to
your personal qualities and be
one you can handle” Miyamoto Mushashi
@dcerecedoByteflair
Don'tbecomean
extremist
?Daniel Cerecedo
@dcerecedo
Thanks Gracias
Próxima SlideShare
Cargando en…5
×

Skyrocketing Web APIs

761 visualizaciones

Publicado el

There are lots of misconceptions about REST APIs. People think REST is about HTTP, and is not. That developer UX is important, but it will soon be dead.
Here we discuss our approach to REST over HTTP and the difficulties and special scenarios we have found and how we solved them.

Publicado en: Tecnología
0 comentarios
2 recomendaciones
Estadísticas
Notas
  • Sé el primero en comentar

Sin descargas
Visualizaciones
Visualizaciones totales
761
En SlideShare
0
De insertados
0
Número de insertados
80
Acciones
Compartido
0
Descargas
16
Comentarios
0
Recomendaciones
2
Insertados 0
No insertados

No hay notas en la diapositiva.

Skyrocketing Web APIs

  1. 1. Skyrocketing Web APIs By making the right decisions Daniel Cerecedo @dcerecedo
  2. 2. Why REST over HTTP?Why REST over HTTP? @dcerecedoByteflair
  3. 3. Why REST over HTTP?Why REST over HTTP? @dcerecedoByteflair The limits of my language mean the limits of my world. Everybody speaks HTTP
  4. 4. Developer UXDeveloper UX @dcerecedoByteflair HTTP is for browsers
  5. 5. Developer UXDeveloper UX @dcerecedoByteflair Developer in mind, not browsers
  6. 6. REST over HTTPREST over HTTP @dcerecedoByteflair Components URIs Verbs StatusCode Body Headers
  7. 7. REST over HTTPREST over HTTP @dcerecedoByteflair Separate resource representation from contextual data Representation Body→ Contextualdata Headers→
  8. 8. REST over HTTPREST over HTTP @dcerecedoByteflair HTTP status code to inform client about the result 2xx Ok→ Other Ko→ 4xx Clienterror→ 5xx Servererror→
  9. 9. REST over HTTPREST over HTTP @dcerecedoByteflair Use best matching HTTP Status codes Add specific application error codes to error responses
  10. 10. @dcerecedoByteflair REST over HTTPREST over HTTP Semantic of an API should be In the URI ...but Everybody thinks Verbs+URIs fit better on HTTP
  11. 11. @dcerecedoByteflair REST over HTTPREST over HTTP
  12. 12. HypermediaHypermedia @dcerecedoByteflair
  13. 13. HypermediaHypermedia @dcerecedoByteflair Applications can be modeled as state machines
  14. 14. @dcerecedoByteflair HypermediaHypermedia
  15. 15. @dcerecedoByteflair HypermediaHypermedia
  16. 16. @dcerecedoByteflair HypermediaHypermedia Model the problem domain Identifydomainresources Identifyresourcestatetransitions
  17. 17. @dcerecedoByteflair HypermediaHypermedia Domain resources Vehicles Users Sessions Resource state transitions Createresources Assignownertovehicle Activatesessionwithdriver&vehicle Deactivatesession
  18. 18. @dcerecedoByteflair HypermediaHypermedia Define resource representation formats Mime Types Define roles for each Hypermedia Control Rel Types
  19. 19. @dcerecedoByteflair HypermediaHypermedia GET / Headers Link: <https://api.domain.com/vehicles>; rel=”vehicles”: <https://api.domain.com/users>; rel=”users”: <https://api.domain.com/sessions>; rel=”sessions” Body ...
  20. 20. @dcerecedoByteflair HypermediaHypermedia GET /vehicles Headers Link: <https://api.domain.com/vehicles?page=1&size=20>; rel=”next” Body [ {...}, {…}, ...] Control links
  21. 21. @dcerecedoByteflair HypermediaHypermedia GET /sessions/1374 Body { …. “vehicle”:”https://api.domain.com/vehicles/1”, “driver”:”https://api.domain.com/users/1” } These are also control links. Use conventions to get full semantics!!
  22. 22. @dcerecedoByteflair HypermediaHypermedia GET /vehicles/1 Body { …. “owner”:”https://api.domain.com/users/1” } Relation types specify the role of the link
  23. 23. @dcerecedoByteflair HypermediaHypermedia GET /sessions/1374 Body { …. “vehicle”:”https://api.domain.com/vehicles/1”, “driver”:”https://api.domain.com/persons/1” }
  24. 24. @dcerecedoByteflair HypermediaHypermedia Let the client discover its resource access level Options
  25. 25. @dcerecedoByteflair HypermediaHypermedia Conventions RelTypes,MediaTypes,Methods,StatusCodes
  26. 26. @dcerecedoByteflair HypermediaHypermedia Think as if you had to write a client and minimize the number of things you have to know about the API beforehand
  27. 27. @dcerecedoByteflair HypermediaHypermedia A client and an API do not get decopupled magically
  28. 28. Dynamic viewsDynamic views @dcerecedoByteflair
  29. 29. Dynamic viewsDynamic views @dcerecedoByteflair We need different data access needs for the same resource depending on the security context
  30. 30. Dynamic viewsDynamic views @dcerecedoByteflair AnyUserresourcecanbefullyviewedbyan administrator AloggedinusercanfullyviewhisUserresource Otheruserscanonlyseehispublicdata Scenario
  31. 31. Dynamic viewsDynamic views @dcerecedoByteflair /users/{id} /owner/users/{id} /admin/users/{id} OneURIperrole Scenario
  32. 32. Dynamic viewsDynamic views @dcerecedoByteflair /users/{id} /owner/users/{id} /admin/users/{id} OneURIperrole Scenario
  33. 33. Dynamic viewsDynamic views @dcerecedoByteflair Partitiontheresource Givedifferentroleaccesstoeachpartition Scenario /users/{id} /users/{id}/my-private-data /users/{id}/data-about-me-only-the-admin-knows
  34. 34. Dynamic viewsDynamic views @dcerecedoByteflair OneURIperresource Selectoneviewatruntimedependingonthesecurity context Scenario /users/{id}
  35. 35. Dynamic viewsDynamic views @dcerecedoByteflair 1.Createamechanismtodefineviews 2.Createamechanismtodefineapplicableviewstoa resource 3.Createamechanismtodefinewhichviewtoapply
  36. 36. Dynamic viewsDynamic views @dcerecedoByteflair 1
  37. 37. Dynamic viewsDynamic views @dcerecedoByteflair 1
  38. 38. Dynamic viewsDynamic views @dcerecedoByteflair 2
  39. 39. Dynamic viewsDynamic views @dcerecedoByteflair 3
  40. 40. Updates & ConcurrencyUpdates & Concurrency @dcerecedoByteflair
  41. 41. @dcerecedoByteflair Twoclientsattempttoupdatethesameresource concurrently Representationisthestateoftheapplication Iwanttoavoidthesecondrequesttoupdatearesource fromaninconsistentrepresentation Updates & ConcurrencyUpdates & Concurrency Scenario
  42. 42. @dcerecedoByteflair Compareincomingresourceandexistingresource... Updates & ConcurrencyUpdates & Concurrency Scenario
  43. 43. @dcerecedoByteflair Compareincomingresourceandexistingresource... Ifunequalreject... Updates & ConcurrencyUpdates & Concurrency Scenario
  44. 44. @dcerecedoByteflair Compareincomingresourceandexistingresource... Ifunequalreject... Ifpossibleinformtheuserwhichfieldsviolatedthe precondition Updates & Concurrency Scenario
  45. 45. @dcerecedoByteflair Ifwehavedynamicviews,thenthesameresourcemay havedifferentfieldsfordifferentsecuritycontexts Updates & ConcurrencyUpdates & Concurrency
  46. 46. @dcerecedoByteflair Whatifwedon'twantallfieldstobeupdatable? Whatifweneedfinegrainedaccesscontroltofields? Updates & ConcurrencyUpdates & Concurrency Scenario
  47. 47. @dcerecedoByteflair 1.Weneedamechanismtoassociatesecurity expresionstofields 2.Weneedamechanismtoevaluatesecurity expresionsbeforechangingthevalueofafield Updates & ConcurrencyUpdates & Concurrency
  48. 48. @dcerecedoByteflair Updates & ConcurrencyUpdates & Concurrency 1
  49. 49. @dcerecedoByteflair Updates & ConcurrencyUpdates & Concurrency 2
  50. 50. Async RequestsAsync Requests @dcerecedoByteflair
  51. 51. Async RequestsAsync Requests @dcerecedoByteflair Howdowedealwithtransitionsthatareintrinsically asynchronous?
  52. 52. Async RequestsAsync Requests @dcerecedoByteflair Howdoweidentifyintrinsicallyasynctransitions? Therearestatetransitionsbeyondyourcontrol Itdoesnotmakesensetoreturnaresourcebecausewe don'tknowthestateoftheresourceafterinvokingthe transition
  53. 53. Async RequestsAsync Requests @dcerecedoByteflair Trucksareregularlyreviewedandmarkedforrepairing Scenario Ok Needs Repair Repaired Awaiting
  54. 54. Async RequestsAsync Requests @dcerecedoByteflair Trucksareregularlyreviewedandmarkedforrepairing Scenario Ok Needs Repair Repaired Within my organizations control Awaiting
  55. 55. Async RequestsAsync Requests @dcerecedoByteflair Trucksareregularlyreviewedandmarkedforrepairing Scenario Ok Needs Repair Repaired Within my organizations control Awaiting PUT/trucks/6/repair 202Accepted
  56. 56. Async RequestsAsync Requests @dcerecedoByteflair Trucksareregularlyreviewedandmarkedforrepairing Scenario Ok Needs Repair Repaired Within my organizations control Awaiting PUT/trucks/6/repair 202Accepted
  57. 57. Async RequestsAsync Requests @dcerecedoByteflair Howdowedealwithtaskintensivestatetransitions?
  58. 58. Async RequestsAsync Requests @dcerecedoByteflair Howdowedealwithtaskintensivestatetransitions? Wemakethemasync
  59. 59. @dcerecedoByteflair Flexibility & DecouplingFlexibility & Decoupling
  60. 60. @dcerecedoByteflair Flexibility & DecouplingFlexibility & Decoupling MediationRouter+MessageBroker
  61. 61. @dcerecedoByteflair Flexibility & DecouplingFlexibility & Decoupling Mail Template From To Subject Template name Amazon Mailchimp Elastic Mail Scenario
  62. 62. @dcerecedoByteflair Flexibility & DecouplingFlexibility & Decoupling Scenario
  63. 63. @dcerecedoByteflair Flexibility & DecouplingFlexibility & Decoupling Scenario
  64. 64. @dcerecedoByteflair Speakinginsilver i18ni18n
  65. 65. @dcerecedoByteflair Speakinginsilver i18ni18n GET /i18n/es_ES Body { “country” : “ES”, “lang”: “es”, “data” : { “key”: “localized message”, ….} } SinglePageApp
  66. 66. @dcerecedoByteflair API SpecificationAPI Specification
  67. 67. @dcerecedoByteflair
  68. 68. Byteflair SwaggerSwagger APIAPI SpecificationSpecification Swagger editor: http://editor.swagger.io/ En local: https://github.com/Byteflair/docker-swagger-editor docker pull byteflair/swagger-editor docker run -d -p <port>:9000 byteflair/swagger-editor
  69. 69. Byteflair RAMLRAML APIAPI SpecificationSpecification API Designer: http://api-portal.anypoint.mulesoft.com/raml/api-designer Imagen Docker: https://github.com/Byteflair/docker-raml-editor docker pull byteflair/raml-editor docker run -d -p <port>:9013 byteflair/raml-editor
  70. 70. @dcerecedoByteflair Oauth 2 CheatsheetOauth 2 Cheatsheet
  71. 71. @dcerecedoByteflair Oauth 2 CheatsheetOauth 2 Cheatsheet Client&User User Client Trusted Untrusted
  72. 72. @dcerecedoByteflair Oauth 2 CheatsheetOauth 2 Cheatsheet Client&User User Client Resource Owner Credentials Trusted UntrustedMy trusted native app
  73. 73. @dcerecedoByteflair Oauth 2 CheatsheetOauth 2 Cheatsheet Client&User User Client Client Credentials Resource Owner Credentials Trusted Untrusted A server app or CLI
  74. 74. @dcerecedoByteflair Oauth 2 CheatsheetOauth 2 Cheatsheet Client&User User Client Authorization Code Client Credentials Resource Owner Credentials Trusted Untrusted Third party apps
  75. 75. @dcerecedoByteflair Oauth 2 CheatsheetOauth 2 Cheatsheet Client&User User Client Authorization Code Implicit Client Credentials Resource Owner Credentials Trusted Untrusted My single page app
  76. 76. @dcerecedoByteflair Packaging & MonetizingPackaging & Monetizing
  77. 77. @dcerecedoByteflair HowtoofferdifferentproductsontopofthesameAPI? PackagingPackaging
  78. 78. @dcerecedoByteflair HowtoofferdifferentproductsontopofthesameAPI? BUNDLING subsetsoffunctionality PackagingPackaging
  79. 79. @dcerecedoByteflair HowtoofferdifferentproductsontopofthesameAPI? BUNDLING subsetsoffunctionality THROTTLING request PackagingPackaging
  80. 80. @dcerecedoByteflair HowtoofferdifferentproductsontopofthesameAPI? BUNDLING subsetsoffunctionality THROTTLING request PackagingPackaging Needs a proxy and means of updating policies
  81. 81. @dcerecedoByteflair MonetizingMonetizing
  82. 82. @dcerecedoByteflair ToolsTools
  83. 83. ToolsTools @dcerecedoByteflair
  84. 84. @dcerecedoByteflair “Weapons should be adapted to your personal qualities and be one you can handle” Miyamoto Mushashi
  85. 85. @dcerecedoByteflair Don'tbecomean extremist
  86. 86. ?Daniel Cerecedo @dcerecedo Thanks Gracias

×