Welcome!

Microservices Expo Authors: Pat Romanski, Elizabeth White, Liz McMillan, Stackify Blog, Andreas Grabner

Related Topics: Microservices Expo

Microservices Expo: Blog Feed Post

Following Real-Time API Design

It's such a common question: which authentication scheme to use for APIs?

It's fascinating this morning to read Steve Chamber's real-time notes on the design of his API. In particular, I was interested in the section on which authentication model to use. It's such a common question: which authentication scheme to use for APIs. Unfortunately, all too often, the answer has been to throw some standards at the problem, without really thinking about whether they make sense. This always reminds me of the world of SOAP Web Services, five years ago, when seemingly everyone wanted to use SAML for authentication of SOAP, when in actual fact SAML is not used to do direct authentication at all. SAML was just the cool technology du jour.



What Steve Chambers has done is to list out the options for API authentication and settled on (my emphasis added) Token Keys with Request Signing.
Authentication
  • HTTP Basic Authentication is ruled out (why: SSL, Logout, Client retains auth info)
  • HTTP Digest Authentication is ruled out (why: SSL)
  • Public Key Authentication is ruled out (why: complexity)
  • Credentials in Request is ruled out (why: creeds should not be passed in each Request)
  • Token Keys with Request Signing (of all headers and payload for zero collisions) are selected.
    http://viewyonder.com/apis/team-api-development/
When I saw this I thought "Yes!". That's because I remember a similar exercise two years ago which also ended in Token Keys (called API Keys in that case) being selected. In that case also, a facade pattern (using a Gateway) was employed in order to separate the API delivery and definition from the back-end infrastructure. It's interesting that in that case we also allowed SSL with HTTP Digest Auth for (as Steve calls them) "pesky humans with a browser" but the Gateway takes note of how the authentication is performed and that is taken into account in policies (the "authentication context").

The other aspect I enjoyed reading about is the REST design constraint. Steve writes:
This API is resource-based, not service-based, as per the REST design constraint.
  • You can access the team artefacts like people bios and written papers.
  • You cannot execute the “give_the_gal_a_raise()” method on a staff object
http://viewyonder.com/apis/team-api-development/
Again I thought "Yes!" because this goes back to one of my original bugbears about (firstly) heavyweight Web Services and (now) APIs. Back in the world of Web Services, initially it was seen as part of Distributed Computing and it was all about RPC. Then, Document-Literal SOAP was rightly seen as the best option, and we moved to to that model. That was a good thing. It made overlaying REST on SOAP a bit easier.

Even further back, at the risk of seeming like an old codger, this always reminds me of my early days working as a programmer for an EDI VAN in Dublin moving EDI processes to the new-fangled Internet. EDI was (and is) all about moving documents (resources) around, and updating the status of those resources (purchase orders are approved, etc). At the time in Dublin, it seemed like every other programmer was working in distributed computing (CORBA) at Iona (which I initially encountered as a campus company). That is a different world. It's the difference between doing a POST (aargh) on a method called "approve_purchase_order()" and using PUT to update the status of the purchase order resource. Much of REST is centered on the old ideas which worked, and still work, for EDI. There, I sound like an old codger now.

I'll be following Steve's notes with interest...

Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Microservices Articles
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. H...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and value...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and co...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, will discuss how to use Kubernetes to setup a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace....
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
SYS-CON Events announced today the Kubernetes and Google Container Engine Workshop, being held November 3, 2016, in conjunction with @DevOpsSummit at 19th Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA. This workshop led by Sebastian Scheele introduces participants to Kubernetes and Google Container Engine (GKE). Through a combination of instructor-led presentations, demonstrations, and hands-on labs, students learn the key concepts and practices for deploying and maintainin...