the​

connected

app

Paul Bakker - The Orange Dots - ServoyWorld '17

UX

Customer Value

Customer Retention

Platform Hacking

Agility

Focus

API
vs.
Integration

Push

vs.

Pull

Rest

Webhooks

SDK's

GraphMQ / Falcor
gRPC

Queues

GET: get resource(s)

POST: create resource

PUT: update/(overwrite) resource

PATCH: update resource

DELETE: remove resource

(OPTIONS): get available operations on the resource?

HTTP Methods

http://mydomain.com/api/customers

Nouns

Stateless

HTTP Status Codes

JSON API errors

Versioning

To Think About

  • Versionless
  • In the URL: mydomain.com/api/v1/customers
  • In the content-type
  • Both in the url and content-type

Content-Type

  • Support JSON, XML? YAML? Something else?
  • Specify version
  • Response format

 

Example: Content-Type: application/vnd.myname.v1+json

Pagination / HATEOAS

{
  "links": {
    "self": "http://example.com/articles",
    "next": "http://example.com/articles?page[offset]=2",
    "last": "http://example.com/articles?page[offset]=10"
  },
  "data": [{
    "type": "articles",
    "id": "1",
    "attributes": {
      "title": "JSON API paints my bikeshed!"
    },
    "relationships": {
      "author": {
        "links": {
          "self": "http://example.com/articles/1/relationships/author",
          "related": "http://example.com/articles/1/author"
        },
        "data": { "type": "people", "id": "9" }
      },
      "comments": {
        "links": {
          "self": "http://example.com/articles/1/relationships/comments",
          "related": "http://example.com/articles/1/comments"
        },
        "data": [
          { "type": "comments", "id": "5" },
          { "type": "comments", "id": "12" }
        ]
      }
    },
    "links": {
      "self": "http://example.com/articles/1"
    }
  }]
}

Authentication
vs.
Authorization

Token-based Flow

JSON Web Tokens (JWT)

Text

/*--------------- authentication Server: Token Generation ---------------*/
let header = base64UrlEncode({
    typ: 'JWT',
    alg: 'RSASHA256'
});

let payload = base64UrlEncode({
    userId: 'b08f86af-35da-48f2-8fab-cef3904660bd',
    scopes: 
});

let data = header + '.' + payload

let signature = RSASHA256(data, publicKey, privateKey);

let jwtToken = data + '.' + signature;

/*--------------- Client: HTTP Request ---------------*/
req.setRequestHeader('Authorization', 'Bearer ' + jwtToken);

/*--------------- Resource Server: handle request ---------------*/
let publicKey = getPublicKey();
let header = getHeader('Authorization');
let valid = verify(token, publicKey)

if (valid) {
    let content = getTokenContent(token);

    if (content.scopes.messages && content.scopes.messages.actions.includes('send')) {
        //Authorized to send messages
        //Your messages send logic here
    } else {
        //Handle not authorized 
    }
} else {
    handle invalid token
}

Additional: JSON Web Signature (JWS), JSON Web Encryption (JWE)

Scopes

{
  ...
  scopes: {
    messages: {
      actions: ['send']
    },
    storage: {
      actions: ['modify', 'delete']
    },
    location: {
      actions: ['read']
    },
    ...
  }
}

Access Token Lifetime

  • Non-expiring access tokens

  • Short-lived access tokens and no refresh tokens

  • Short-lived access tokens and long-lived refresh tokens

 

 

Refresh tokens

Application Registration

Authorize Application

Authorized App

On the Servoy side

Separate Business Logic

Stateless (pure functions)

 

CQRS

Scaling

High Availability

Monitoring

Security

Throttling

Caching
Documentation

Servoy RESTful Web Services

Pros

  • Contained within the realm of a Servoy Solution
  • Easy to get started

Cons

  • No access to request headers
  • Scaling
  • Integration with useful tools

${your_favorite_stack}

Pros

  • Full control
  • Better integrated tooling

Cons

  • More initial work to get started
  • Managing an additional stack

NodeJS

Restify
node-oauth2-server
jsonwebtoken
RabbitMQ

 

Parting Gift

jsonapi.org

mulesoft.com/lp/ebook/api/restbook
jwt.io/
digitalocean.com/community/tutorials/an-introduction-to-oauth-2

⚫ ⚫ ⚫ ⚫

the connected app

By paulbakker

the connected app

Nowadays, just building a great app isn't enough anymore; the world is a connected place, you can better make sure your app is connected too! In this session I'll take you from the business case of connected apps all the way down to some of the nitty-gritty details of providing a REST API.

  • 1,620