The Software Engineer’s Guide to Public APIs

A presentation at KCDC 2021 in September 2021 in Kansas City, MO, USA by Scott McAllister

Slide 1

Slide 1

The Software Engineer’s Guide to Public APIs Scott McAllister @stmcallister

Slide 2

Slide 2

Slide 3

Slide 3

Why APIs? Because every business is a Digital Business and they communicate via APIs Make payments Shop online Get around Be entertained Do work Order food Buy anything Stay healthy @stmcallister Be connected

Slide 4

Slide 4

What is an API? @stmcallister

Slide 5

Slide 5

API Standards HTTP POST GET PUT DELETE @stmcallister Create data Read data Update data Delete data

Slide 6

Slide 6

HTTP Messages HTTP Message Method The action being taken. POST, GET, PUT, DELETE Header Information about the data in the message Body @stmcallister Data being sent

Slide 7

Slide 7

Authorization Header Contains the API token which is required to authenticate and authorize each request with API @stmcallister

Slide 8

Slide 8

Authentication OAuth Token created automatically for each user of client app @stmcallister

Slide 9

Slide 9

A long time ago in a galaxy far, far away…. @stmcallister

Slide 10

Slide 10

Your App @stmcallister Google Calendar

Slide 11

Slide 11

Google Calendar Your App Google Username and Password Calendar Data @stmcallister

Slide 12

Slide 12

Google Calendar Your App Password Anti-Pattern Google Username and Password Calendar Data @stmcallister

Slide 13

Slide 13

No easy way to revoke access from the client App @stmcallister

Slide 14

Slide 14

Once they’re in they’re hard to stop @stmcallister

Slide 15

Slide 15

Access: All or Nothing @stmcallister

Slide 16

Slide 16

User can’t remove credentials from third-party apps @stmcallister

Slide 17

Slide 17

OAuth @stmcallister

Slide 18

Slide 18

OAuth ❏ Open standard for authorizing secure access on HTTP service ❏ Uses tokens rather than password data to prove identity ❏ Provides “secure delegated access” to client applications ❏ Limits user’s scope of access @stmcallister

Slide 19

Slide 19

OAuth with Client Secret @stmcallister

Slide 20

Slide 20

Keep it Secret. Keep it safe. @stmcallister

Slide 21

Slide 21

PagerDuty Client App Request authorization with Client ID and Redirect URI @stmcallister

Slide 22

Slide 22

PagerDuty Client App Request authorization with Client ID and Redirect URI @stmcallister User Allows or Denies Access

Slide 23

Slide 23

PagerDuty Client App Request authorization with Client ID and Redirect URI Auth code returned @stmcallister User Allows or Denies Access

Slide 24

Slide 24

PagerDuty Client App Request authorization with Client ID and Redirect URI Auth code returned Request Access Token with Auth Code, Client ID and Client Secret @stmcallister User Allows or Denies Access

Slide 25

Slide 25

PagerDuty Client App Request authorization with Client ID and Redirect URI Auth code returned Request Access Token with Auth Code, Client ID and Client Secret Access Token Returned @stmcallister User Allows or Denies Access

Slide 26

Slide 26

OAuth with Proof Key for Code Exchange (PKCE) @stmcallister

Slide 27

Slide 27

PKCE Terms ❏ Code_verifier ❏ Random 128byte, base64 urlEncoded value ❏ Code_challenge ❏ Hashed, base64 urlEncoded (no padding) value of Code_verifier ❏ Challenge_method ❏ Method of hash used @stmcallister

Slide 28

Slide 28

Client App @stmcallister PagerDuty

Slide 29

Slide 29

Client App Generate & Save code verifier Create code challenge @stmcallister PagerDuty

Slide 30

Slide 30

PagerDuty Client App Generate & Save code verifier Create code challenge @stmcallister Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access

Slide 31

Slide 31

PagerDuty Client App Generate & Save code verifier Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI Create code challenge Auth code returned @stmcallister User Allows or Denies Access

Slide 32

Slide 32

PagerDuty Client App Generate & Save code verifier Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Create code challenge Auth code returned Request Access Token with Auth Code, Client ID and Code Verifier @stmcallister Validates Code & Code Verifier

Slide 33

Slide 33

PagerDuty Client App Generate & Save code verifier Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Create code challenge Auth code returned Request Access Token with Auth Code, Client ID and Code Verifier Access Token Returned @stmcallister Validates Code & Code Verifier

Slide 34

Slide 34

Automation @stmcallister

Slide 35

Slide 35

How to get updates? Polling vs Webhooks @stmcallister

Slide 36

Slide 36

Polling @stmcallister Are you done yet?

Slide 37

Slide 37

Webhooks May I have your attention, please! @stmcallister

Slide 38

Slide 38

PagerDuty Client App Webhook Message (HTTP POST) @stmcallister Event happens!!!

Slide 39

Slide 39

Webhook Payloads Thin vs..Not so thin? @stmcallister

Slide 40

Slide 40

Thin Payload @stmcallister

Slide 41

Slide 41

“Heavy” Payload @stmcallister

Slide 42

Slide 42

Rate Limiting: Call Limit vs Rate Limit @stmcallister Call Limit Rate Limit number of times API invoked in a certain time period usually as business choice imposed for reasons of fairness so one customer doesn’t overwhelm infrastructure and affect other customers Proprietary & Confidential

Slide 43

Slide 43

Rate Limiting: Rate Limit Response The response to the API call will say @stmcallister Proprietary & Confidential

Slide 44

Slide 44

Developer Experience @stmcallister

Slide 45

Slide 45

Slide 46

Slide 46