kirsten jones, technical leader, cisco systems. application developers …curious about using rest...

Download Kirsten Jones, Technical Leader, Cisco Systems. Application Developers …Curious about using REST …Wanting help debugging the system Not REST API Architects

Post on 26-Mar-2015




0 download

Embed Size (px)


  • Slide 1

Kirsten Jones, Technical Leader, Cisco Systems Slide 2 Application Developers Curious about using REST Wanting help debugging the system Not REST API Architects (sorry!) Slide 3 HTTP Overview REST Web Services OAuth Authentication Basics REST Debugging Slide 4 HyperText Transfer Protocol Used for conversations between web clients and servers Most of the internet uses HTTP Supports verbs for GET, PUT, POST, DELETE Query parameter framework Slide 5 Client sends a request Method URL Headers (sometimes) parameters (sometimes) body Server replies with a response Content Status Headers Slide 6 HTTP response codes for dummies. 50x: we fucked up. 40x: you fucked up. 30x: ask that dude over there. 20x: cool. Props to @DanaDanger for this Slide 7 Headers Generally meta-information about the request For instance: requesting an image in a specific format Parameters Limit or describe how you want the resource (searches, filters) Defines the resource youre requesting Slide 8 Request (client) Accept: Give me this kind of response. Heres a list in order of what Im hoping youll send. Accept: text/html,application/xhtml+xml,application/xml Response (server) Content-Type: This is the kind of response Im sending you. Content-Type: text/html; charset=UTF-8 Slide 9 Part of the URL Everything after the question mark, delimited by ampersands =that&foo=bar Slide 10 Chrome browser sends a request to Google Method: GET URL: Headers: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Connection: keep-alive User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19 Accept-Encoding: gzip,deflate,sdch Cookie: NID=59=EudJ2a15ql8832PCysQA0qchtuvGWMoA7rkp79VpIYAQ8- j42IO17LFudCYNMXm9l6SHcu3YgrGRCdrRCyM468xPZaOek4Pi- AXQ8eARqU1SGYx6y7_9LW-c3HHb-vs2; PREF=ID=994f8de0e8b39a5b:U=237805f1f710dc73:FF=0:TM=1336752507:LM=13 36752509:S=W0Hha7x4czdXp51U Host: Slide 11 Google sends a response Headers: Content-Length: 24716 Content-Encoding: gzip Set-Cookie: NID=59=F48kbwfwOi-qCHJyrnMSUlDBVxK- ZVKZpq5B5jttt_25IRN4lS-0rQcVttq- dnOIlQzafw1i4HPQAO0RpZ7NuC0WCKWta7SYoekx0--YGf2zIFZ9VXIKS- _UEaOH9iBe; expires=Sat, 10-Nov-2012 21:26:46 GMT; path=/;; HttpOnly Expires: -1 Server: gws X-XSS-Protection: 1; mode=block Cache-Control: private, max-age=0 X-Frame-Options: SAMEORIGIN Content-Type: text/html; charset=UTF-8 Date: Fri, 11 May 2012 21:26:46 GMT Content: A bunch of HTML Status: 200 Slide 12 Some browsers provide tools to view HTTP traffic Great for understanding what your browser is doing Tracking programmatic traffic requires a separate tool Slide 13 Macintosh: HTTPScoop Macintosh: Charles (supports SSL) Windows: Fiddler Unix (or Mac): Wireshark (X11) Slide 14 Slide 15 Request Slide 16 Headers Slide 17 Request/Response Slide 18 Uses URL paths to define resources Create, Read, Update, Delete POST, GET, PUT, DELETE Error Codes HTTP Status Codes Request parameters Query parameters Response types and configuration Headers Slide 19 Blog Info from Tumblr GET (read) Requires api_key sent as parameter Slide 20 Slide 21 Headers Slide 22 Request/Response Slide 23 Status: 200 Content: {"meta": {"status":200, "msg":"OK }, "response":{ "blog":{"title":"Untitled","posts":0, "name":"synedra", "url":"http:\/\/\/", "updated":0, "description":"","ask":false,"likes":0}}} Slide 24 Used by many APIs Each application gets a consumer key and secret Authentication server handles authentication Each user of an application gets a unique user token and secret Supports tracking of application/member use of the API Allows users to protect username/password Industry standard libraries for most programming languages Slide 25 REST web services call adds verification signature to each request Query parameters Authorization header Secrets are used to create signature Authentication server checks signature to verify that it was created using shared secrets If authentication succeeds, request is processed by API server Slide 26 Signature is generated based on URL Parameters Consumer key User token mj7l5rSw0yVb%2FvlWAYkK%2FYBwk%3D&oauth_nonce =6283929&oauth_timestamp=1336775605&oauth_consu mer_key=***KEY***&oauth_signature_method=HMAC- SHA1&oauth_version=1.0&oauth_token=***TOKEN*** &oauth_signature=CqHiZI6tI3pQGe5a0vVgoT0822A%3D Slide 27 Request Slide 28 Headers (nothing special) Slide 29 Request/Response Slide 30 Signature is generated based on URL Parameters Consumer key User token URL is unchanged: Authorization header has oauth stuff: OAuth realm="", oauth_body_hash="JtgCKBurLIPLM4dXkn2E3lgrfI4%3D", oauth_nonce="60723468", oauth_timestamp="1336776657", oauth_consumer_key=***KEY***", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token=***TOKEN***", oauth_signature="8iWVpIK3LhRbu8JPf2gzC1YxQy4%3D" Slide 31 No authorization parameters Slide 32 Authorization is in the header Slide 33 Request/response works the same Slide 34 Download the oauth2 package from github No, its OAuth 1.0a, ignore the name Quick walkthrough to understand process (but this talk is not about OAuth) import oauth2 as oauth consumer_key = 'xxxxxxxxxxxxxx' consumer_secret = 'xxxxxxxxxxxxxx consumer = oauth.Consumer(consumer_key, consumer_secret) client = oauth.Client(consumer) Slide 35 First step in OAuth: Get a request token for this authorization session OAuth library handles signing the request import oauth2 as oauth consumer_key = 'xxxxxxxxxxxxxx' consumer_secret = 'xxxxxxxxxxxxxx consumer = oauth.Consumer(consumer_key, consumer_secret) client = oauth.Client(consumer) resp, content = client.request(request_token_url, "POST") request_token = dict(urlparse.parse_qsl(content)) Slide 36 Second step: Send the user to the server to authorize your application After the user authorizes your application, the server returns a verification code for you to use print "Go to the following link in your browser:" print "%s?oauth_token=%s" % (authorize_url, request_token['oauth_token']) accepted = 'n' while accepted.lower() == 'n': accepted = raw_input('Have you authorized me? (y/n) ') oauth_verifier = raw_input('What is the PIN? ) Slide 37 Third step: Use the verifier and the request token to get an access token This is usually a long lived token token = oauth.Token(request_token['oauth_token'], request_token['oauth_token_secret']) token.set_verifier(oauth_verifier) client = oauth.Client(consumer, token) resp, content = client.request(access_token_url, "POST") access_token = dict(urlparse.parse_qsl(content)) Slide 38 Make an API call using the OAuth library The library handles the signature generation url = consumer = oauth.Consumer( key=XXXXX", secret=XXXXX") token = oauth.Token( key=XXXXX", secret=XXXXX") client = oauth.Client(consumer, token) resp, content = client.request(url) Slide 39 Use the documentation and resources provided by the platform team Consoles, IODocs, OAuth signature checkers Use existing, tested libraries Code defensively Slide 40 401 authentication errors (signatures, tokens) 403 authorization errors (throttles, permissions) 400 errors parameters, headers Library out of sync with API Slide 41 Try building the request using just the OAuth library Find someone elses code that works HTTP Servers arent that smart Slide 42 HTTP: Hypertext Transfer Protocol REST: REpresentational State Transfer OAuth: Authentication