the
connected
app
Paul Bakker - The Orange Dots - ServoyWorld '17
UX
Customer Value
Customer Retention
Platform Hacking
Agility
Focus
API
vs.
Integration
Push
vs.
Pull
Rest
Webhooks
SDK's
GraphMQ / Falcor
gRPC
Queues
GET: get resource(s)
POST: create resource
PUT: update/(overwrite) resource
PATCH: update resource
DELETE: remove resource
(OPTIONS): get available operations on the resource?
HTTP Methods
http://mydomain.com/api/customers
Nouns
Stateless
HTTP Status Codes
JSON API errors
Versioning
To Think About
- Versionless
- In the URL: mydomain.com/api/v1/customers
- In the content-type
- Both in the url and content-type
Content-Type
- Support JSON, XML? YAML? Something else?
- Specify version
- Response format
Example: Content-Type: application/vnd.myname.v1+json
Pagination / HATEOAS
{
"links": {
"self": "http://example.com/articles",
"next": "http://example.com/articles?page[offset]=2",
"last": "http://example.com/articles?page[offset]=10"
},
"data": [{
"type": "articles",
"id": "1",
"attributes": {
"title": "JSON API paints my bikeshed!"
},
"relationships": {
"author": {
"links": {
"self": "http://example.com/articles/1/relationships/author",
"related": "http://example.com/articles/1/author"
},
"data": { "type": "people", "id": "9" }
},
"comments": {
"links": {
"self": "http://example.com/articles/1/relationships/comments",
"related": "http://example.com/articles/1/comments"
},
"data": [
{ "type": "comments", "id": "5" },
{ "type": "comments", "id": "12" }
]
}
},
"links": {
"self": "http://example.com/articles/1"
}
}]
}
Authentication
vs.
Authorization
Token-based Flow
JSON Web Tokens (JWT)
Text
/*--------------- authentication Server: Token Generation ---------------*/
let header = base64UrlEncode({
typ: 'JWT',
alg: 'RSASHA256'
});
let payload = base64UrlEncode({
userId: 'b08f86af-35da-48f2-8fab-cef3904660bd',
scopes:
});
let data = header + '.' + payload
let signature = RSASHA256(data, publicKey, privateKey);
let jwtToken = data + '.' + signature;
/*--------------- Client: HTTP Request ---------------*/
req.setRequestHeader('Authorization', 'Bearer ' + jwtToken);
/*--------------- Resource Server: handle request ---------------*/
let publicKey = getPublicKey();
let header = getHeader('Authorization');
let valid = verify(token, publicKey)
if (valid) {
let content = getTokenContent(token);
if (content.scopes.messages && content.scopes.messages.actions.includes('send')) {
//Authorized to send messages
//Your messages send logic here
} else {
//Handle not authorized
}
} else {
handle invalid token
}
Additional: JSON Web Signature (JWS), JSON Web Encryption (JWE)
Scopes
{
...
scopes: {
messages: {
actions: ['send']
},
storage: {
actions: ['modify', 'delete']
},
location: {
actions: ['read']
},
...
}
}
Access Token Lifetime
-
Non-expiring access tokens
-
Short-lived access tokens and no refresh tokens
-
Short-lived access tokens and long-lived refresh tokens
Refresh tokens
Application Registration
Authorize Application
Authorized App
On the Servoy side
Separate Business Logic
Stateless (pure functions)
CQRS
Scaling
High Availability
Monitoring
Security
Throttling
Caching
Documentation
Servoy RESTful Web Services
Pros
- Contained within the realm of a Servoy Solution
- Easy to get started
Cons
- No access to request headers
- Scaling
- Integration with useful tools
${your_favorite_stack}
Pros
- Full control
- Better integrated tooling
Cons
- More initial work to get started
- Managing an additional stack
NodeJS
Restify
node-oauth2-server
jsonwebtoken
RabbitMQ
Parting Gift
jsonapi.org
mulesoft.com/lp/ebook/api/restbook
jwt.io/
digitalocean.com/community/tutorials/an-introduction-to-oauth-2
⚫ ⚫ ⚫ ⚫
the connected app
By paulbakker
the connected app
Nowadays, just building a great app isn't enough anymore; the world is a connected place, you can better make sure your app is connected too! In this session I'll take you from the business case of connected apps all the way down to some of the nitty-gritty details of providing a REST API.
- 1,620