API
๐ก You tell (Interface) a program (P) to run in an application (A)
- Why API?
- No need to create search engine or app
- By publishing API, you can use any method to get to them (flexibility)
- What is Web Service?
- API that uses the internet
- Note that not all APIs are web services & not all APIs use the internet.
HTTP
๐ก Hypertext Transfer Protocol
4 Parts
| Request์ ๋ด๊ฒจ์๋ ๊ฒ | Response์ ๋ด๊ฒจ์๋ ๊ฒ | |
|---|---|---|
| Start Line | 1) Version: HTTP/1.1 2) Method(get post put delete) 3) API Folder location: (/search) 4) Parameters: (?q=tuna) Example: GET /search?q=tuna HTTP/1.1 | 1) Version: HTTP/1.1 2) Status code: (200 OK) Example: HTTP/1.1 200 OK |
| Headers | Host: (www.google.com) Cookie Authorization Content-Type and moreโฆ (each line is header) https://en.wikipedia.org/wiki/List_of_HTTP_header_fields | Date Set-Cookie (์ฌ๋ฌ ๊ฐ ๊ฐ๋ฅ) Content-Type Server and moreโฆ |
| Blank Line | ||
| Body | Content sent to the API (post, put) username, passwordโฆ | Content from the API |
Status Code
100s: Information
200s: Success
300s: Redirection
400s: Client errors
500s: Server errors
HTTP Body
-
What content type can you have in HTTP body?
โ Data, image, Web page/HTML, audio, video, etc.
-
What content type can be used for sending/receiving data(text information)?
โ XML, JSON
APIs donโt have to use web/http rules. If it's a web service, then the data is returned in a format that can go over the web/HTTP. JSON and XML or any format that allows data to go over the web can be used. But most popular formats are JSON/XML.
Stateless, Cookies, Security, Infrastructure
-
HTTP is stateless by default(request unknown). Both REST and SOAP use HTTP protocol.
-
REST (Representational State Transfer): All the request information needs to be transferred to the application for the application to provide a response. REST contains method in the start line.
SOAP (Simple Object Access Protocol)
-
If HTTP is statleless, how do applications remember?
โ Cookies in Headers lineIf a session ID is in the cookie and it's traded between the application and the client, the session can continue.
-
HTTP Security
-
Cookies don't store passwords (can use tokens)
-
Applications store data with session id (e.g. An application can associate an IP address to a session id)
-
Multi-factor authentication
- Stateless Infrastructure Benefits:
-
Scalability: The application server doesn't have to have any memory of the request coming in, so you can keep adding more and more applications servers to meet demand.
-
Resilience: multiple load balancers
XML
Extensible Markup Language
- Content-Type: application/xml
- HTTP Body: XML
JSON
JavaScript Object Notation
- Content-Type: application/json
- HTTP Body: JSON
API Access
Authentication vs Authorization
- Authentication = proving your identity
- Authorization = limeted access
| Authentication | Autorization | Examples | |
|---|---|---|---|
| No Auth | N | N | Google search page |
| Basic Auth | Y | N | Email account |
| Bearer Token | N | Y | Not many |
| OAuth | Y | Y | (ex:Waze app) |
| Two Factor Auth | Y | N | High Security |
OAuth
It enables a 3rd-party application to obtain limited access to an HTTP service. Instead of using the resource owner's credentials to access protected resources, the client obtains an access token. This specification is designed for use with HTTP.
1.2. Protocol Flow
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
Figure 1: Abstract Protocol Flow_์ถ์ฒ.
https://www.rfc-editor.org/rfc/rfc6749
https://www.udemy.com/course/api-and-web-service-introduction/
