PDA

View Full Version : REST APIs and OAuth 2.0



Mike Peat
28-Sep-2015, 10:37 AM
In recent years the use of RESTful (https://en.wikipedia.org/wiki/Representational_state_transfer) APIs (https://en.wikipedia.org/wiki/Application_programming_interface) has become pervasive, supplanting XML/SOAP web services as the integration mechanism of choice for most service providers.

The range of these API is vast: almost every major player in web-delivered services now exposes large areas of their functionality through them. Google, Microsoft, Facebook, Amazon, eBay, SalesForce, Yahoo, PayPal, Wikipedia... the list could go on... a lot.

Access to such services obviously requires authentication and authorization to prove that the owner/user of the data or services approves of allowing a given application to make use of, and possibly modify, them. Although there remains some support for user-name/password based authentication, most service providers now use (and only use) the OAuth (https://en.wikipedia.org/wiki/OAuth) mechanism, most commonly the current version of the protocol: OAuth 2.0 (http://oauth.net/2/). OAuth is described as a mechanism for providing "secure delegated access" to the owner/user's resources. To quote Wikipedia, OAuth "specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials" - essentially users of an application can grant it access to their stuff without ever giving it their password (or other credentials).

For this reason support for OAuth 2.0 rather represents the "keys to the kingdom" in the business of integrating third-party RESTful services into your applications. The first step in getting your application to work with a given provider's REST interface is to successfully manage their OAuth mechanism. This will usually involve first signing up and registering your application with the provider, in return for which you (the developer) will be issued with a "Client ID" (which uniquely identifies your application to the provider) and a "Client Secret" (sometimes called a "Key") which are then used in the process of allowing the user/owner to grant your application access (frequently limited in both time and scope) to their resources via an Access Token (https://en.wikipedia.org/wiki/Access_token).

Once this hurdle is overcome, performing operations on the API becomes simply a matter of making the appropriate HTTP calls, while providing the "Access Token" in each to prove that your application has the right to do so.

RESTful APIs generally make use of the HTTP (https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) verbs (https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods) GET, POST, PATCH, PUT and DELETE to perform functions which are analogous to database CRUD (https://en.wikipedia.org/wiki/Create,_read,_update_and_delete) (Create, Read, Update and Delete) operations. GET performs read operations, POST (and sometimes PUT) creates, DELETE obviously deletes, while update operations use PATCH (or sometimes POST). By far the commonest data interchange format is JSON (http://www.json.org/), although some providers continue to support others such as XML.

The purpose of this sub-forum is to make such capabilities available to DataFlex developers (essentially web developers, since the mechanism relies on the use of a web browser and the DataFlex web framework). Here you will find libraries which you can download and link to from your own DataFlex project workspaces which will allow you to build these capabilities into your web applications. In addition there are demonstration sample applications and links to documentation to help guide you through the whole process.

These capabilities are only available in versions of DataFlex starting with 18.1, because prior to that there was no support for HTTP verbs other than GET and POST. The UChar array functions, new in DF 18.1, also play an important part in handling the large amounts of data which can be involved in some operations, as well as providing a reliable mechanism for dealing with those that work with binary data.

Mike

Mike Peat
28-Sep-2015, 12:12 PM
Note: This forum has been running as a limited access private forum since August, which is why you will see there are a number of threads already. It is now fully open.

Mike