Presentation: Tweet"REST: from GET to HATEOAS, or how to create great REST APIs"
REST is slowly becoming the standard way to expose APIs for your application. Whether it's an internally used application or a high-available cloud based service, REST APIs are often the way to go. There are many frameworks out there that help you in building REST APIs: Rails, Play, JAX-RS etc. But, by just exposing your resources using the standard HTTP verbs, you aren't there yet. Building a great REST API that will be easy to use by your clients, is secure, supports links and can be easily maintained (e.g versioned), is more involved. This session will explain how you can create a easy to use, secure REST API using HATEOAS (Hypermedia as the Engine of Application State), link relations and a HMAC based authentication scheme. This session will show, using a concrete example, how to get your REST API to the next level. This session doesn't show how to implement these schemes with a specific framework, but focusses on how to use and apply these concepts in a practical example and how your clients will interact with your API.
Rough presentation outline:
- Introduce REST: very short introduction into what REST is.
- What is Richardson Maturity Model: Explanation of what the RMM is, and the various level. Explain that most of the APIs are currently at level 2, focussing on exposing state, not behavior.
- What is HATEOAS?: Introduce people into HATEOAS, what it is, how it works, and the advantages it presents.
- Thinking in usecases not in data: With HATEOAS (and linking) we can start thinking about usecases instead of data, show how we can implement this using 'links' together with mediatypes. This will also show how easy it is for your client to interact with your API.
- Versioning without the breaking: When using HATEOAS, versioning becomes simpler. Show the different approaches, advantages and disadvantages.
- HTTPS isn't enough; securing REST APIs: The final part of the presentation shows an oft overlooked aspect of REST API design security. HTTPS is a valid option in a lot of cases, but it only secures the transport, not the message. There is no standard way of adding message level security in REST (unlike WS-Security for SOAP based services). Using an HMAC based authentication scheme, just like Amazon and Google do, you can add message level security to your services in a 'de facto' standard way.
- Parting guidelines: If you forget everything I said in this talk, at least try to remember these pointers when creating a REST API.
Keywords: REST, HATEOAS, Richardson Maturity Model, HMAC, Architecture,
Target Audience: Medior, Senior. They should know what the basic idea behind REST is.