A presentation at KCDC 2021 in in Kansas City, MO, USA by Scott McAllister
The Software Engineer’s Guide to Public APIs Scott McAllister @stmcallister
Why APIs? Because every business is a Digital Business and they communicate via APIs Make payments Shop online Get around Be entertained Do work Order food Buy anything Stay healthy @stmcallister Be connected
What is an API? @stmcallister
API Standards HTTP POST GET PUT DELETE @stmcallister Create data Read data Update data Delete data
HTTP Messages HTTP Message Method The action being taken. POST, GET, PUT, DELETE Header Information about the data in the message Body @stmcallister Data being sent
Authorization Header Contains the API token which is required to authenticate and authorize each request with API @stmcallister
Authentication OAuth Token created automatically for each user of client app @stmcallister
A long time ago in a galaxy far, far away…. @stmcallister
Your App @stmcallister Google Calendar
Google Calendar Your App Google Username and Password Calendar Data @stmcallister
Google Calendar Your App Password Anti-Pattern Google Username and Password Calendar Data @stmcallister
No easy way to revoke access from the client App @stmcallister
Once they’re in they’re hard to stop @stmcallister
Access: All or Nothing @stmcallister
User can’t remove credentials from third-party apps @stmcallister
OAuth @stmcallister
OAuth ❏ Open standard for authorizing secure access on HTTP service ❏ Uses tokens rather than password data to prove identity ❏ Provides “secure delegated access” to client applications ❏ Limits user’s scope of access @stmcallister
OAuth with Client Secret @stmcallister
Keep it Secret. Keep it safe. @stmcallister
PagerDuty Client App Request authorization with Client ID and Redirect URI @stmcallister
PagerDuty Client App Request authorization with Client ID and Redirect URI @stmcallister User Allows or Denies Access
PagerDuty Client App Request authorization with Client ID and Redirect URI Auth code returned @stmcallister User Allows or Denies Access
PagerDuty Client App Request authorization with Client ID and Redirect URI Auth code returned Request Access Token with Auth Code, Client ID and Client Secret @stmcallister User Allows or Denies Access
PagerDuty Client App Request authorization with Client ID and Redirect URI Auth code returned Request Access Token with Auth Code, Client ID and Client Secret Access Token Returned @stmcallister User Allows or Denies Access
OAuth with Proof Key for Code Exchange (PKCE) @stmcallister
PKCE Terms ❏ Code_verifier ❏ Random 128byte, base64 urlEncoded value ❏ Code_challenge ❏ Hashed, base64 urlEncoded (no padding) value of Code_verifier ❏ Challenge_method ❏ Method of hash used @stmcallister
Client App @stmcallister PagerDuty
Client App Generate & Save code verifier Create code challenge @stmcallister PagerDuty
PagerDuty Client App Generate & Save code verifier Create code challenge @stmcallister Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access
PagerDuty Client App Generate & Save code verifier Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI Create code challenge Auth code returned @stmcallister User Allows or Denies Access
PagerDuty Client App Generate & Save code verifier Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Create code challenge Auth code returned Request Access Token with Auth Code, Client ID and Code Verifier @stmcallister Validates Code & Code Verifier
PagerDuty Client App Generate & Save code verifier Request authorization with Client ID, Code Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Create code challenge Auth code returned Request Access Token with Auth Code, Client ID and Code Verifier Access Token Returned @stmcallister Validates Code & Code Verifier
Automation @stmcallister
How to get updates? Polling vs Webhooks @stmcallister
Polling @stmcallister Are you done yet?
Webhooks May I have your attention, please! @stmcallister
PagerDuty Client App Webhook Message (HTTP POST) @stmcallister Event happens!!!
Webhook Payloads Thin vs..Not so thin? @stmcallister
Thin Payload @stmcallister
“Heavy” Payload @stmcallister
Rate Limiting: Call Limit vs Rate Limit @stmcallister Call Limit Rate Limit number of times API invoked in a certain time period usually as business choice imposed for reasons of fairness so one customer doesn’t overwhelm infrastructure and affect other customers Proprietary & Confidential
Rate Limiting: Rate Limit Response The response to the API call will say @stmcallister Proprietary & Confidential
Developer Experience @stmcallister
You’re comfortable working out of a code base. You’ve solved technical challenges before! But what happens when you have to reach for an API based tool? For many highly-technical engineers, public APIs are out of sight and out of mind. In this talk, we’ll cover a range of mechanisms, from OAuth to Webhooks, that you’re likely to encounter when building with a public API. You’ll leave with a newfound understanding and appreciation of public APIs, ready to go forth and connect all of the things!