To follow up on our Top 5 Resources post from last week, here’s a look at the five most popular, most thought-provoking or just-plain-best posts from the Layer 7 blog in 2012. Mainly though, these are just personal favorites and I should note that they’re arranged chronologically (oldest first), not in order or preference.

The Oracle-Versus-Google Verdict Comes Down
June saw a remarkable amount of media coverage focusing on the world of APIs, as the Oracle/Google court case made headlines. Layer 7’s Jaime Ryan was relieved that the ruling stated APIs are not protected by copyright. Jaime said: “By taking a strong stand on the issue… the judge has possibly prevented a whole new round of lawsuits that could have rivaled the still-ongoing Apple/Samsung/Google patent wars.”
Read the full post >>>

Are Open APIs Too Open for Big Business?
In July, Ronnie Mitra took a detailed look at how nervous major social media platforms like Twitter and Facebook were becoming about their open APIs and concluded that “enterprises will need to adapt or risk being unable to reach their customers as the device revolution continues at its explosive pace… Organizations need to think carefully and plan their API strategies in order to find the perfect balance between control and accessibility.”
Read the full post >>>

Why I Still Like OAuth
In the midst the controversy surrounding July’s formalization of OAuth 2.0, Scott Morrison launched a passionate, though qualified, defense of the standard. Scott argued that “sometimes you just have to declare a reasonable victory and deal with the consequences later. OAuth isn’t perfect, nor is it easy. But it’s needed and it’s needed now, so let’s all forget the personality politics and just get it done.”
Read the full post >>>

History Repeats: The Search for Agility & Reuse Through APIs
This September, Dimitri Sirota visited the SDP Global Summit in Rome and noticed how much of the discussion around telecom carriers’ API initiatives echoed the SOA talk of a decade ago. He noted “telco after telco (echoed) the decade-old SOA mantra of abstraction, agility and reuse when talking about their new API initiatives… But if Web APIs are to deliver on the SOA vision of agility and reuse, they will need some of the same plumbing that made Web services work.”
Read the full post >>>

RESTful or Not?
Also in September, Mike Amundsen provided an explanation of the key term “RESTful”, which is so often used in reference to APIs and Web services. Mike explained: “Essentially, REST… is a style. Specifically, it’s a style of network-based software architecture. This style was first defined in 2000 by Roy Fielding. Fielding stated that ‘an architectural style is a coordinated set of architectural constraints that has been given a name for ease of reference’.”
Read the full post >>>

As the leader of Layer 7’s North American API Architecture & Design Practice, I often get asked to review Web solutions. Rarely do people ask me if the implementation is appropriate for the intended use. Instead they want to know if the work fits a label invented over a decade ago by a PhD candidate in his dissertation. They want to know if what they’ve come up with is “RESTful”.

Essentially, REST (representational state transfer) is a style. Specifically, it’s a style of network-based software architecture. This style was first defined in 2000 by Roy Fielding. Fielding stated that “an architectural style is a coordinated set of architectural constraints that has been given a name for ease of reference”.

The set of architectural constraints Fielding defined in his dissertation remain the key criteria by which we judge whether or not a service is RESTful. Back in 2000, Fielding did a very good job of defining the six primary constraints: client-server; stateless; cache; uniform interface; layered system; code-on-demand.

However, REST is also defined by four “interface constraints” that are only partially defined in the dissertation: identification of resources; manipulation of resources through representations; self-descriptive messages; hypermedia as the engine of application state. In particular, the definitions of self-descriptive messages and hypermedia are still debated.

Assuming you can decide on clear definitions of all 10 constraints, all that remains is to identify each of them within the target design. If the implementation does not exhibit all ten (well nine, since code-on-demand is optional), then it is not RESTful. This last step is not difficult. It is the previous step (agreeing on definitions) that causes problems.

Still not sure if your service is RESTful? Well, I originally published this post, in expanded form, on my personal blog. If you want to dig deeper, take a look over there.

Over the weekend of September 13-15, a small band of Web architects and developers will – for the third year in a row – descend upon the town of Greenville, SC. They’ll be getting together to catch up on the events of the past year, share stories about recent projects and contemplate the future of Web and mobile applications.

This may sound like a typical tech conference but REST Fest is hardly that. Taking its cue from OpenSpaces and similar events, REST Fest is organized by attendees, for attendees. For example, one of the days is devoted to everyone hacking on the same general topic. Another is dedicated to short workshops, all presented by selected registrants.

Similarly, all the general session talks are delivered by the attendees themselves. That’s because one of the “rules” of REST Fest is “everyone talks and everyone listens”. When you sign up to join REST Fest, you are expected to deliver at least a five-minute lightning talk – and there are no exceptions!

Notable presenters will include keynote speaker Stu Charlton (former CTO of Elastra), Matt Bishop (Senior Product Architect at Elastic Path), Pat Cappelaere (currently working on NASA’s SensorWeb project), Leonard Richardson (co-author of O’Reilly’s RESTful Web Services), Sam Ramji (Head of Strategy at Apigee) and yours truly.

I feel privileged to be co-chair of REST Fest and I’m pleased to note that Layer 7 is the event’s Head Sponsor this year. Hope to see you there!

Our Tech Talks strive to focus on the most interesting and relevant API Management topics for both developers and publishers. And as new and evolving protocols emerge, we want to provide a forum for developers and publishers alike to discuss these protocols in an open discussion forum. So with that in mind, our next Tech Talk will focus on OpenID Connect.

OpenID Connect is an emerging standard that adds federated authentication to OAuth 2.0-enabled systems. It’s a suite of lightweight specifications that provide a framework for identity interactions via RESTful APIs. And in its simplest deployment, OpenID Connect allows all types of clients including browser-based, mobile and javascript to request and receive information about identities and currently authenticated sessions.

So, it’s a relatively simple protocol that helps make authenticating complicated scenarios easier. And let’s be honest – simple and easy are always welcome when it comes to securing RESTful APIs. Authorization and authentication are now available using only one technology. This makes life easier for anyone looking to secure their APIs.

But of course, questions always arise when discussing the various implementation scenarios for OpenID Connect. That’s why we’re excited to welcome Senior Software Developer Sascha Preibisch as our special guest for our July 10 Tech Talk Tuesday. He will answer any OpenID Connect questions you may have – so get those questions ready and join us on July 10 at 9am PDT.

Here’s how to join the discussion:

Click here to get a reminder in your calendar.

On the day of the event, join on Livestream or Facebook:
»  livestream.com/layer7live
»  facebook.com/layer7

Tuesday, July 10 | 9am PDT | 12pm EDT | 5pm BST

Submit your questions:
Tweet using the tag #Layer7Live
Email techtalk@layer7.com
Check in & Chat through Facebook

Glue Conference, aka Gluecon, is such a refreshing event – filled with API and application developers, not a single suit in sight, demo pods, hackathons, spheros etc.

APIs are popping up everywhere and creating amazing integration possibilities. One of the coolest demos I saw at Gluecon was Ducksboard’s dashboard service, which lets you create your own monitoring dashboard using a library of widgets for existing social and Cloud providers. You can even create your own widget and have your own data pushed to it via an API endpoint created just for you, on the fly – so sexy!

Thanks to everybody who came to my presentation Making Sense of API Access Control. I hope this shed some light on how to leverage OAuth for controlling access to REST-based APIs. A lot of the new APIs I discovered this week could certainly use some help in that regard. API key authentication in HTTP basic without password has its limitations. The slides from Making Sense of API Access Control are embedded below.