Identity Service Concept and API Management - Assignment Example

? Application Programming Interface of Affiliation Third Party Application Programming Interface Programming Q1. a. Discuss theimpact that OAuth has upon the security of third party APIs Sharing of usernames and passwords was common in the past prior the introduction of OAuth. As an emerging open-protocol technology, OAuth is embraced by several sites like Twitter, Facebook, Google, Yahoo, and other resource providers and social sites. The Open Authorization is an open-web specification used by organizations to access secured resources on their respective websites. The protocol achieves this by granting third-party application access to protected content without providing the application with credentials. Oath protocol differs with the Open ID which is a federated authentication protocol (A How-to Guide to OAuth & API Security n.d). The traditional approach in client-server authentication model required a request to access protected resource on the server by the client. Authentication provided to the server through the credentials from the resource owner enabled the third party access resources. In other words, the resource owner had to share its credentials with the third party and this created several problems and limitations such as; The credentials for the resource owner like username and password had to stored by the third party for future use by the third-party Security lapses in password storage required that servers support password authentication Resource owners lacked protection from third-party applications due to unlimited access of resources Resource owners have to change third-party’s password since they cannot revoke an individual third-party. This means that all third-parties fall prey due to revocation of an individual Any compromise of third-party application leads to compromise of end-user’s username and password. This leads to unlimited and misuse of protected data by that password. This breach in security is addressed by OAuth through an authorization layer and defining the role of the resource owner and the client (third-party). According to this protocol, the third party does not use the resource owner’s credentials to access protected resources from the server but uses an access token. The access token denotes specific scope, lifetime, and other access attributes offered to the third-party clients through an authorization server and with approval from resource owner. The access token is used by the third-party to access the protected resources hosted by resource server. The third-party APIs have a restricted use to service provided by HTTP as well as managing a handshake between applications. OAuth is a full API access control tool and security solution with a focus on API management such as user management, auditing, throttling, and threat detection. b. Give an assessment of the core issues surrounding identity and APIs APIs apply security approaches through identity, authentication, and authorization. Identification entails encryption of the person making an API request while authorization focuses on validating permission granted to API request users. Authentication confirms the API request users. API key is used to establish identity but not authentication of end users. Through the API key, organizations like Google maps and Yahoo can track their users and keep service volume under control. Identity service operations for API applies three types of service extensions. These are; OpenStack Identity Service Extension, HP Identity Service Extensions, and Rackspace Identity Service Extensions. The three service extensions apply the following Identity Service Concepts; User User is a digital representation of an end user, system, or service that uses API services like OpenStack cloud services. The identity validates the request made by the user claiming to make the call. The end users are facilitated by a log in and tokens to access resources with the option of a tenant provision or tenant ownership. Credentials Credentials refer to validation of data by the owner through proof of identity. This is achieved by providing a username matching the password, username and API key, or a token issued from resource server. Authentication Authentication is process that the end user takes to validate truth of a claim. The service confirms that that the person making the request is the person permitted to access the protected resources. After confirmation through username and password or username and API key, a token is provided to the user to validate the end user’s authentication for subsequent requests. Token This is an arbitral section of text that an end user uses to access resources from resource servers. It describes the accessible resources, and as liable to revocation or valid for a particular duration according to the resource owner’s protocol. It does not serve as a full-fledge identity store and management solution. Tenant A tenant is used to identify and group resources or identity objects. The grouping or separation depends on service operator that the tenant uses to map a customer, an account or an organization. Service A service offers several end points such as Compute (Nova), Object storage (Swift) that end users use to access resources and perform operations. Endpoint This is a network-accessible address described by a URL through which services are accessed. End templates can be used to represent templates of consumable services available in a particular region. Role A role refers to personality and end user presumes when performing certain set of tasks. For example, in OpenStack Identity Service, the token issued to the end user defines the roles the user presumes (Identity Service Concepts n.d). Q2. Web services are a key component of API development a. Appraise the different approaches to providing web services, making sure you give an assessment of the nature of each approach identified Web service is important an important component in API development because it is a software system that supports interoperable machine-to-machine interaction in a network system. The software has an interface enabled by a machine enabled format like WSDL. It is a type of API that enables third parties develops a code that interfaces with other codes. Web services are implemented through two approaches; REST or SOAP. REST REST is an architectural pattern rather than a technology, simple by itself and uses plain XML or JSON as communication medium. It combines URL patterns as a representation of underlying system and HTTP methods like GET, PUT, POST, and DELETE. The HTTP methods used maps an action type to be implemented. Successful implementation of REST starts with provision of RESTful URL mappings. The HTTP method is applied to map unique actions in the controller which can be altered by URL Mappings. The HTTP method is used to issue request such as GET or POST form a common browser through mapping with the option of defining alternative methods. JAX-RS Plugins can also be used in building web services based on Java API used in RESTful web services. SOAP Depending on approach used, several plugins are used to SOAP to support compatibility. The Contract First SOAP services apply Spring WS plugin to develop SOAP API. Other plugins include CXF that uses CXF SOAP stack, Aixs2 plugin that uses Axis2 and Metro plugin that uses Metro framework. Most SOAP integrations are compatible with APIs. b. Compare and contrast two different approaches to web service delivery (10mks). Use of SOAP has some advantages overrunning the REST approach. First, SOAP relies on Extensible Markup Language (XML) in three ways (the Envelope). The Envelope describes the content of the message, method of processing, and encoding rules for data types, and the final layout of the procedure and responses collected. The envelope is sent through HTTP/HTTPS as a transporting medium and Remote Procedure Call (RPC) is executed while the envelope is returned. The envelope returned contains information in XML format that delivers a report on the task done. Therefore, SOAP has a generic transport medium that REST lacks. REST uses HTTP/HTTPS as its only transport medium while SOAP uses any available option from the complex to the simple SMTP and JMS. SOAP’s use of XML can be disadvantageous due to XML’s verboseness and the time taken to parse. On the other hand, the two technologies stand tall in today’s market. They solve web problems and challenges, with each being used to developers bidding. This implies that the technologies work across the domain effectively. REST remains to be an architectural approach that lacks standards, easy to understand and perfectly approachable. On the other hand, SOAP is an industry standard, well defined protocol, and well established rules for implementation for both big and small systems. REST works best for limited bandwidth and resources, stateless operations, and caching situations. SOAP offers great solutions to synchronous processing an invocation, formal contracts, and stateful operations (Grails, n.d.). Q3. RPC and RESTful services are two separate approaches to web service architecture. Appraise the core principles behind these two approaches, giving a brief description of each prior to assessing their nature. Remote Procedure Call (RPC) is web service approach protocol architecture for a program to request a service from a program in a system within a network. The protocol uses client/server model whereby the requesting program is the client and the service providing program is the server. The operation is synchronous since the requesting program is suspended until results from the remote procedure are delivered. However, with the use of threads or lightweight processes, multiple RPCs can be performed concurrently. The program statements compiled into an executable program by RPC includes a stub responsible for representing the remote procedure code (Fogel 2005). As a result, the stub forwards the call to client runtime program available in the local computer when a procedure call is issued. The remote computer and server application is addressed by the client runtime program sending a message across the network requesting remote procedures. The server includes runtime program and stub that allows compatibility with the remote procedures enabling relay of results through a similar process. In the Open Systems Interconnection Model (OSI), RPC uses Transport Layer and Application Layer. Through RPC, it is easier to develop a compatible application including a multiple of programs distributed in the network. On the other hand, RESTful approach to web services refers to a web API orchestrated through HTTP and REST principles. It describes the desired web architecture that helps identify existing problems, compare alternative solutions, and offer protocol extensions compliant to other webs (Zyp 2008). RESTful aims at achieving scalability, interfaces, deployment of components, and reduce latency while enforcing security and legal systems. Through the client-server separation, complexity of connector semantics are reduced, improving tuning performance. Its layered structure paves way for intermediaries such as proxies, gateways, and firewalls. The intermediaries are introduced at various points in communication without changing interfaces of components. Such a structure creates room for communication translation and shared caching. Intermediate processing is enabled in RESTful through message constraints to allow self-descriptive messages (Rozlog 2010). Q4. a. Identify the different best practices for creating RESTful APIs. In most cases, RESTful APIs do not follow a described standard apart from the HTTP (Vinoski 2008). It is wise to develop a RESTful API that complies with the best practices in the industry to enable development and adoption by clients. Some of the best practices to adopt are; The records must be related through URLs Use First-class models Apply presenters Ensure that the responses are completed Filter the parameters and Allow authorization through Tokens (McMillan 2003). b. Relate the best practices identified in part (a) above to an example API (16mks). An example of API is the Google Geocoding API. Geocoding is a process of converting real addresses into geographical coordinates such as latitude and longitude that an end user uses to place markers on a map. Conversion of geographic coordinates into human readable addresses is called Reverse geocoding. The Google geocoding API offers a direct way of accessing such services through an HTTP request (The Google Geocoding, n.d.). Geocoding Requests The geocoding request must first relate through URL (http://maps.googleapis.com/maps/api/geocode/output?parameters). The term output in the URL may be of json or xml values. HTTP suits best for applications that have sensitive data like user’s location. Parameters could be optional or as required. The required parameters involve address that should be geocoded, or latlng or components. Sensor as parameter indicates the source of geocoding request. This could be from a device with a location sensor using true or false values. The optional parameters include; Bounds Language Region Components Geocoding Responses The output flag within the URL request path indicates geocoding responses. JSON Output Formats According to this example, the Geocoding API requests a json response in a query mode concerning the real address in question; http://maps.googleapis.com/maps/api/geocode/json?address=(real address)&sensor=true_or_false. The sensor parameter is a variable (true or false) to emphasize that it is mandatory to set the value into either one of the variables. No assumptions should be made concerning the whitespace in between the requests. The programming language used may contain less white space. The JSON response will contain two elements; status or results. Status element contains metadata relayed on the request while results element has an array of geocoded address and geometry information (The Google Geocoding, n.d.). Q5. You are to develop an application that requires a display of geographical information- locations of points of interest. Present an outline of how you would go about evaluating appropriate third party APIs to determine their suitability for your application. Illustrate your answer using an example of a third party API and justify your decision . The following steps are viable to evaluating the appropriate third party application suitable for an application; The web API in use A critical evaluation of the web API in sue should address applicability of the API and issues related to licensing of the API. Functionality of the API The requirements needed determine the functions of the API. Availability of specialist tools Too many tools make the API a hurdle to end users, therefore, only important tools should be used to make it user friendly. The programming language There are several programming languages in use. The programming language suitable for use must be a common one to enable further modifications of the API. Documentation Data concerning the appropriate API must be gathered so that an amicable integrated API is developed. Licensing conditions The licensing conditions should be clearly understood so that the end users understand the terms and conditions associated with the API. The Geocoder is a suitable API application since it enables an end user establishes geographical locations through use of an address of the name of the location in question. The API has he forward and reverse request that an end user can apply through HTTP request. It is available in several formats such as JSON, and XML, giving end users opportunity to choose their preference. It also prohibits misuse by the end user by setting the limit and end user is allowed to access it. Any misuse of the API through excess requests on a daily basis leads to redundancy or blockage of the API to the end user (The Google Geocoding, n.d.). Bibliography A How-to Guide to OAuth & API Security, n.d. Available from . [16 August 2013]. Fogel, K. (2005). Producing open source software, O’Reilly. Available from . [16 August 2013]. Grails, n.d. Web servers- Reference Documentation. Available from . [16 August 2013]. The Google Geocoding API, The Google Maps API Web Services. Available from . [16 August 2013]. . [16 August 2013]. Identity Service Concepts, n.d. Available from . [16 August 2013]. McMillan, R. (2003). A RESTful Approach to Web Services. Available from . [16 August 2013]. Rozlog, M. (2010). REST and SOAP: When Should I use each (or Both)? Available from . [16 August 2013]. Vinoski, S. (2008) RPC and RSET: Dilemma, Disruption, and Displacement. Internet Computing, IEEE. Vol. 12, Issue No. 5. Available from . [16 August 2013]. Zyp, K. (2008). Rest and RPC Relationship. Available from . [16 August 2013]. Read More