API - "APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols. For example, the weather bureau’s software system contains daily weather data. The weather app on your phone “talks” to this system via APIs and shows you daily weather updates on your phone." https://aws.amazon.com/what-is/api/
In simple terms - "you tell a program that you don't own to run"
Advantages:
- Use the program - don't write it
- Platform independent
- Upgrade safe
- I - Interface, from where you telling the program to run
- Ex: app
- P - what task that is being done/what does the program do
- example: search, send message, etc.
- A - what software has the program being run
- WhatsApp, WAZE
Web Service - API that uses the
internet
XML, JSON format
RES, SOAP, RPC
HTTP Request (and response) contains:
- Start line
- Method
- API Program folder - optional
- Parameters - optional
- HTTP Version
- Header
- Blank line
- Body
|
Request |
Response |
Start Line |
Method API Program folder - optional Parameters - optional HTTP Version |
HTTP Version Status Code |
Headers |
General-header: These header fields have general
applicability for both request and response messages. Client Request-header: These header fields have
applicability only for request messages. Entity-header: These header fields define meta
information about the entity-body or, if no body is present, about the
resource identified by the request. |
Server Response-header: These header fields have applicability only for response messages. |
Blank line |
Divider b/w headers and body |
|
Body |
Contain: image, data, video, etc. See Header field Content-type |
|
HTTP Codes
- 1xx - Informational
- 2xx - Success
- 3xx - Redirection
- 4xx - Client
Error
- https://www.restapitutorial.com/httpstatuscodes.html
Idempotent - safe to repeat, POST is the only idempotent method
HTTP
- Stateless
- Scalable
- Resilient
XML, JSON - formats of transferring data over HHTP
XML - eXtnesible Markup Language
- HTTP Header
line: Content-Type: application/xml
- HTTP Body: XML
HTML vs XML
- Both have tags
- XML is
extensible - can add your own tags, tags are used to describe data
- HTML - tags are
pre-set, can't add
- XML was created by W3C - https://www.w3.org/XML/
- XSD - XML Schema definition, i.e. can drive your won XML format
JSON - part of Java script that transfers data
- HTTP Header: Content-Type: application/json
- HTTP Body: JSON. Uses key/Value
- Created by Douglas Crockford - https://www.json.org/json-en.html
History:
- 1980 - SUN RPC
- 1998 - XML-RPC
- 1999 - SOAP
- 2000 - REST
SOAP vs REST
- SOAP is a Protocol. REST is an Architectural Style
SOAP - Simple Object Access Protocol
- A way to access a web service using pre-defined rules
- SOAP always uses Web, HTTP
Uses WSDL - Web Service Description
Language (XML)
- Start Line:
POST WSDL HTTP Version
- Hader Line:
Context-Type: text/xml
- Blank line
- Body: XML
envelope formed using WSDL
Created by W3C - thus use of XML
NOTE: Method is never used and is defaulted to POST
REST - REpresentational State Transfer
No rules (unlike SOAP)
- Start Line -
Method is used in Start Line, ex:
- GET - Read
- POST - Create
- PUT - Update (delete and replace)
- DELETE - Delete
- This is the key
differentiator from SOAP. With SOAP need to follow WSDL, etc.
- Header Line -
All
- Blank Line
- Body - JSON, XML, Image, etc.
- Created by Roy Fielding
Stateful vs Stateless
- SOAP can be both stateful and stateless, depending on how it's implemented
- Relies in HTTP for state Handling
- REST is stateless
- Each message needs to contain all parameters needed for the program to run
|
SOAP |
REST |
Protocol vs. Architectural Style |
Protocol - strict set of rules for structuring messages
(XML) |
Architectural Style - uses web standards and HTTP
methods (such as GET, POST, PUT, DELETE) for communication. Does not mandate
strict message format like SOAP |
Message Format | Typically XML-based, verbose |
Formats vary: JSON, XML, HTML, plain text. JSON
is the most common |
Statefulness |
Can be both stateful and stateless. can be both
stateful and stateless |
Stateless. Each message needs to contain all parameters
needed for the program to run |
Standards |
Has a set of standardized protocols and specifications
- WSDL |
Does not have a single set of standards. Uses web
standards like HTTP, can have various authentication and security mechanisms. |
Performance |
Messages tend to be larger due to XML formatting
resulting more b/width use |
Messages are more lightweight - more efficient in
performance |
Ease of Use |
More complex due to the strict standards and the XML
message format; often requires specialized libraries or toolkits |
Easier to use and understand; uses simpler data formats
like JSON |
Authentication vs. Authorization
Name |
Authentication |
Authorization |
Example |
No Auth |
N |
N |
Google search |
Basic Auth |
Y |
N |
email acct |
Bearer Token |
N |
Y |
Token-based authentication mechanism. Bearer keyword a token - proof of the client's identity and permissions |
OAuth (auth on the originating app) |
Y |
Y |
WAZE app - authorize app to use your location only, not
photos, etc. |
2FA |
Y |
N |
|
Common Application Types:
- Native
- Built directly on the OS
- Accesses OS APIs
- Fastest performing
- Costly to build
- Web
- Runs within a browser
- Uses HTML - looks like a webpage
- Google, YouTube, Wikipedia
- Least costly
- Hybrid
- 1 - Has both capabilities - w/in a browser or OS calls directly
- 2 - Accesses APIs via middleware
OAuth - Open Authorization
- RFC Note 6749 - https://www.rfc-editor.org/rfc/rfc6749
- Allows 3rd party limited access to a web (HTTPS) service
- Introduces authorization layer - 3rd party gets an access token (not username/pwd)
Protocol Flow
- Client->Resource Owner: Authorization Request
- Resource Owner->Client: Authorization Grant
- Client->Auth Server: Authorization Grant
- Auth Server->Client: Access Token
- Client->Resource
Server: Access Token
- Resource Server->Client: Protected Resource
Authorization Grant Types
- Authorization
Code - request authorization from Auth Server (most used)
- Implicit
- Resource Owner
- Client
Credentials
Access Token vs Refresh Token
- Refresh Token is used to acquire a new Access Token
Client Registration
Authorization Code Grant
OpenID Connect
- A way for the client to obtain info about the Resource Owner
- Not part of RFC Note 6749
Protocol Flow
- Client->Resource Owner: Authorization Request
- Resource Owner->Client: Authorization Grant
- Client->Auth Server: Authorization Grant
- Auth Server->Client: Access Token + ID Token
- Client->Resource
Server: Access Token + ID Token
- Resource
Server->Client: Protected Resource
ID Token is usually JWT. See https://jwt.io/
Other Authentication Methods
- Basic -
Username/pwd (encrypted, base 64) over the internet; security concern
- Digest - using
a digest; need secret key to decode the digest; can be sent over HTTP
- Bearer Token - using an API using a token; token needs to be kept secured; need to use HTTPS; see RFC 6750 and https://httpbin.org/; https://pipedream.com/requestbin
Experiment
- https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html
- Export Swagger file and import into Postman
Web Hooks
- Reverse API -
an API event that results in an event directed into Owner/Client. Ex:
suspicious logon - security SMS sent