4. Common Design Challenges Flashcards
What are authentication and authorization commonly abbreviated as?
AuthN and AuthZ respectively.
What can authorization depend on?
- Identity
- Group membership
- Subscription level
- Context (time of day, location, device)
- Actions attempted
- …
What are the three most common API patterns for implementing authentication and authorization?
- API Keys
- Create Your Own Protocol
- OAuth 2.0
What are the benefits and drawbacks of using API Keys as a method of authentication and authorization?
Benefits:
- Framework and programming language agnostic
- Easy to add as a header or even to the URL
Drawbacks:
- URLs are convenient but logged everywhere (not a secret)
- Not easy to update/rotate if compromised
What are the benefits and drawbacks of creating your own protocol for authentication and authorization?
Benefits:
1. None! Do not do this under any circumstances, EVER
Drawbacks:
- Untested, unproven, supported by us
- Everyone needs training on it
- No supporting tools, ecosystems, or libraries
What is OAuth 2.0?
It’s an authorization protocol. It doesn’t define how you authenticate, just that you must authenticate with a trusted entity. The access token you then get back describes or internally maps to a description of what actions you are or are not allowed to perform.
What is the recommended API pattern for implementing authentication and authorization?
OAuth 2.0
What are the benefits and drawbacks of using OAuth 2.0 for API as the method of authentication and authorization in your APIs?
Benefits:
- Reliable and well-established
- Massive ecosystem
- Open-source and commercial options
Drawbacks:
1. Complicated and not easy to implement the first time
What are the two primary schools of thought for versioning an API, and what is the high-level practical difference between them?
- Versioning via Resource URL
- Versioning via Accept Header
Resource URL is easier and more explicit, whereas Accept Header is “proper.”
What does the Accept header specify in a HTTP request?
It specifies the formats that the client understands and asks the API to give back. This is called content negotiation.
What is content negotiation in its three levels?
It’s the process of establishing the markup/notation for an API endpoint to return. This is done by an Accept header and is usually established as XML or JSON.
At the next level, the media type may also be established, which practically means the structure of the markup (XML/JSON).
At the third and final level, the version of the media type and the resource may also be established.
What is a media type in the context of content negotiation?
A well-defined structure that both the client and the server know how to handle.
What are the benefits and drawbacks of using the URL for API versioning?
Benefits:
- Clear and explicit
- Nothing is lost when you copy and paste
Drawbacks:
1. Is not considered “pure”
What are the benefit and the drawback of returning key-value pairs such as JSON from API endpoints?
Benefit:
It’s incredibly easy to consume.
Drawback:
It becomes harder to extend and impossible to add detail about the data as it gets more and more complex
What are media types in the context of API responses?
Media types allow us to use a commonly structured JSON file to move data back and forth.