soleil
Uploaded by
31 SLIDES
446 VUES
310LIKES

Designing API-Enabled Applications

DESCRIPTION

APIs are essential for modern business applications, but creating a good API is challenging. This guide covers key principles for designing effective APIs, including providing valuable services, ensuring simplicity and flexibility, managing and measuring performance, and offering excellent developer support. Explore common pitfalls such as poor documentation, complex security, and inadequate error handling. Learn about RESTful design, resource management, and authentication strategies to build robust APIs that meet user needs. Whether you're a beginner or experienced developer, this resource is invaluable.

1 / 31

Télécharger la présentation

Designing API-Enabled Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Designing API-Enabled Applications Colin Bowern ATC313

  2. APIs are all the rage these days…

  3. APIs are everywhere too…

  4. APIs are the gateway to your business

  5. Creating a Good API is HARD! • Provide a valuable service • Have a plan and a business model • Make it simple, flexible and easily adopted • It should be managed and measured • Provide great developer support Want to know more? John Musser’s OSCON 2012 talk covers these points in detail: colinb.me/GreatOpenAPI

  6. Signs You May Be Doing It Wrong • Assume if you build it they will come • Exposes raw underlying data model • Complex or proprietary security implementation • HTTP-based APIs that ignore HTTP semantics • Poor error handling • Poor documentation • Unexpected and undocumented releases • Inadequate support • Expect an MVC framework “gives” you a great API

  7. It's not enough to write tests for an API you develop; you have to write unit tests for code that uses your API. When you do, you learn first-hand the hurdles that your users will have to overcome when they try to test their code independently. Michael Feathers, 97 Things Every Programmer Should Knowcolinb.me/GoldenRuleOfApiDesign

  8. Choosing an API Style • RPC – Request handled by specific procedure using a set of parameters • Message – Service determines whatprocedure will fulfill request based oncontents and context • Resource – Operations are performed on service resources (data entitles, business processes) We’ll focus on this today

  9. Demo Hello API!

  10. Planning your Resource URLs • Generally speaking: • Rarely go beyond two collections deep • Always provide absolute URL references

  11. Handling Requests

  12. PATCH vs. POST to Initiate Process • How do you handle actions on a resource (e.g. initiating state change requests)? • Recall that REST ≠ CRUD • Option 1: PATCH /Tasks/1 { Status: ‘Complete’ } • What happens if caller includes other changes? • Option 2: POST /Tasks/1/Complete • Do the hypermedia thing and expose it in the GET response: <task id="1"> ... <link rel="MarkComplete" method="POST" href="/Tasks/1/Complete" /> </task>

  13. Returning Useful Results

  14. Sidebar: Redirection the Right Way • Many user agents handle 302s the same was they do 303s • 307 introduced to allow proper temporary redirects • Avoid 302s in favour of 307

  15. Versioning • Version Header –RFC 4229 identifies Version header to describe what caller is expecting • Proxies may strip out header values • Content Negotiation – Accept header describes structure version (e.g. Accept: application/vnd.tasks.v1+json) • Could end up creating a lot of media types, unregistered ones discouraged • Have to handle ordering, wildcards, and quality factors • URL Versioning – Bakes version into resource locator • Makes “permalinks” are impossible to store for other systems • How do you redirect outdated clients? • Omitting version = latest version?

  16. Are we RESTful yet? • Leonard Richardson’s model helps us think about the tenants of resource APIs • Use it as reference point rather than dogma • Martin Fowler explains:colinb.me/RESTModel • Adding hyperlinks to Web API resources: colinb.me/HATEOSWebApi

  17. Managing Access

  18. If you API needs authentication, then make TLS (aka SSL vNext) required. Period.

  19. Establishing Authenticated Sessions • Basic – username and password • Base 64 encoded in the HTTP header – not encrypted! • API Key – shared secret • Proprietary, simple, revocable • Can be stored in header, query string, or body • Works great for service-to-service interaction • HMAC-based keys discussed on StackOverview: colinb.me/HMACWebApi • OAuth– delegation of service access for applications • The “valet key” of authentication - designed for user-app-service interaction • Watch for Open ID Connect to enrich OAuth 2.0 for additional scenarios Go deep on authentication: colinb.me/SecureWebApi

  20. Three Leg Auth: User-App-Service Application 2 1 5+6 4 User Service 3

  21. Two Leg Auth: Application-Service Application 1 3 2 Service

  22. Demo Securing Your API

  23. Caching Proxy Application Browser Gateway

  24. Picking an HTTP Caching Approach • Do Nothing • Expiration • Expires – absolute date/time in response • Max-Age – number of seconds to wait between requests • Validation • Last-Modified – compare last state change date and only send full response if it has been modified since the absolute date • ETag– compare unique identifier for resource state and only send full resource if it does not match the current state Better explained at colinb.me/HttpCaching

  25. Controlling Cache Behavior • Cache-Control response header dictates how to handle future requests • Public – anyone can cache the response • Private – only user agent can cache response (response is specific to single user) • No-Cache – always check with origin server before assuming cached copy is valid • No-Store – don’t store the response under any conditions • Must-Revalidate – check in with server once freshness expires • Proxy-Revalidate – similar to above, targeting proxy caches • Remember: caches aren’t requiredto obey headers. 

  26. Demo Encouraging Responsible Caching

  27. API Tooling Ecosystem

  28. Useful Resources • ASP.NET Web API • asp.net/web-api • REST in Practice • restinpractice.com • Service Design Patterns • servicedesignpatterns.com • How to Design Good APIs • colinb.me/DesignGoodAPI • API Best Practices • colinb.me/APIBestPractices • Usable APIs in Practice • colinb.me/UsableAPIs • The Web API Checklist • colinb.me/ApiChecklist

  29. Related content • Positioning & chioces on Microsoft Development Technologies for Enterprise Applications Developing Connected Apps with Windows Azure Mobile Service: Overview Securing cloud applications with Windows Azure Active Directory

  30. Resources Learning • Sessions on Demand • Virtual Academy http://channel9.msdn.com/Events/TechEd/Australia/2013 http://www.microsoftvirtualacademy.com/ Developer Network TechNet • Resources for IT Professionals • Resources for Developers http://technet.microsoft.com/en-au/ http://msdn.microsoft.com/en-au/

More Related