WIXLIB

Interface Quality PatternsEuroPLoP ’18, July 4–8, 2018, Irsee, GermanyTable 1: Problem-solution pairs of previously published Interface Representation Patterns.PatternProblemSolutionAtomic ParameterHow can an API provider define a single,primitive data element as parameter in arequest message or a response message?To exchange a simple, unstructured data element(such as a number, a string, or a boolean value),define only a single scalar parameter for amessage.Atomic Parameter ListHow can the API provider define multipleprimitive data elements as parameters ina request message or a response message?To transmit two or more simple, unstructureddata elements, define the message’s parametersas multiple Atomic Parameters (such as numbers,strings, or boolean values) arranged in anordered list.Parameter TreeHow can the API provider define tree datastructures in the parameters of amessage? How can the API providerdefine repetitive or nested data elementsin the parameters of a message?Define the parameter representation of amessage based on a single root data element thatcontains one or more subordinate compositedata structures such as tuples, arrays, or trees.Parameter ForestHow can the API provider definerepetitive or nested data betweenelements in the parameters of a messagethat cannot or should not be representedwell in a single tree structure?Define the parameter representation of amessage as multiple simple and composite datastructure representations, including scalars, lists,and complex types like trees, arranged in anordered list of those structures.Figure 1: Relationships between the patterns presented in this paper and selected Interface Representation Patterns [25].Interface Quality PatternsRate Limitdepends on client'smay usemay influenceidentify client withRate Plandetails described inidentify client withAPI Keyrefers toService Level Agreementrepresented withmay influenceWish Listapplied toexpress wishes withapplied toInterface Representation PatternsAtomic ParameterParameter ForestAtomic Parameter ListParameter Tree

EuroPLoP ’18, July 4–8, 2018, Irsee, GermanyMirko Stocker, Olaf Zimmermann, Uwe Zdun, Daniel Lübke, and Cesare PautassoAPI Key: An API provider needs to identify the communicationparticipant it receives a message from to decide if that message actually originates from a registered, valid customeror some unknown client. A unique, provider-allocated APIKey per client to be included in each request allows theprovider to identify and authenticate its clients. This patternis concerned with the quality attribute security.Wish List: Performance requirements and bandwidth limitationsmight dictate a parsimonious conversation between the provider and the client. Providers may offer rather rich data setsin their response messages, but not all clients might needall of this information all the time. A Wish List allows theclient to request only the attributes in a response data setthat it is interested in. This pattern addresses qualities suchas accuracy of the information needed by the consumer, response time, and performance, i.e., processing power requiredto answer a request.Rate Limit: Having identified its clients, an authenticated clientcould use excessively many resources, thus negatively impacting the service for other clients. To limit such abuse, aRate Limit can be employed to restrain certain clients. Theclient can stick to its Rate Limit by avoiding unnecessarycalls to the API. This pattern is concerned with the qualityattributes of reliability, performance, and economic viability.Rate Plan: If the service is paid for or follows a freemium model,the provider needs to come up with one or more pricingschemes. The most common variations are a simple flat-ratesubscription or a more elaborate consumption-based pricingscheme [10], explored in the Rate Plan pattern. This patternaddresses the commercialization aspect of an API.Service Level Agreement: API providers want to deliver highquality services while at the same time using their availableresources economically. The resulting compromise isexpressed in a provider’s Service Level Agreement (SLA) bythe targeted service level objectives and associated penalties(including reporting procedures). This pattern is concernedwith the communication of any quality attribute betweenAPI providers and clients. Availability is an example of aquality that is often expressed in such an SLA.The primary target audience for the first four patterns are APIarchitects and developers. The last two patterns concern businessaspects of APIs and are thus more relevant for API product owners.4.1Pattern: API Keya.k.a. Access Token, Provider-Allocated Client IdentifierContext. An API provider offers services to subscribed participantsonly. One or more clients have signed up and want to use theservices. These clients have to be identified.Problem. How can an API provider identify and authenticate different clients (that make requests)?Forces. When identifying and authenticating clients on the APIprovider side, the following forces come into play: How can client programs identify themselves at an API endpoint without having to store and transmit user accountcredentials? How can a client calling an API be decoupled from the client’sorganization? How can varying levels of API authentication, depending onsecurity criticality, be implemented?When resolving these forces, conflicts between security requirements and other qualities make trade offs necessary: How can security, in particular identification and authentication of clients at an endpoint, be established while stillmaking the API easy to use for clients? How can endpoints be secured while minimizing performance impacts?Non-solution. A rich portfolio of application-level security solutions adressing Confidentiality, Integrity, and Availability (CIA)requirements is available. However, for a free and public API themanagement overhead and performance impact might not be economically feasible. For a solution-internal or community API, security could be implemented at the network level with a VirtualPrivate Network (VPN) or two-way SSL. However, this complicatesapplication-level usage scenarios such as enforcing Rate Limits.Solution. As an API provider, assign each client a unique token –the API Key – that the client can present to the API endpoint foridentification purposes.How it works. Encode the API Key as an Atomic Parameter, i.e., asingle string parameter. This interoperable representation makes iteasy to send the key in the request header, as part of a URL querystring , or in the request body (a.k.a. payload). Because of its smallsize, including it in every request causes only minimal overhead.As the API provider, make sure that the API Keys you generateare unique and hard to guess. This can be achieved by using a serialnumber (to guarantee uniqueness) padded by random data andsigned and/or encrypted with a private key (to prevent guessing).Alternatively, base the key on a Universally Unique Identifier UUID2 .UUIDs are easier to use in a distributed setting because there isno serial number that needs to be synchronized across systems.However, UUIDs are not necessarily random-generated3 ; hence,they also require further obfuscation just like in the serial numberscheme.Example. In the following call to the Cloud Convert API4 a newprocess to convert a DOCX file to PDF format is started. The clientcreates a new conversion process by informing the provider of thedesired in- and output format, passed as two Atomic Parametersin the body of the request (the input file has to be provided bya second call to the API). For billing purposes, the client identifies itself by passing the API Key gqmbwwB74tToo4YOPEsev5 in theAuthorization header of the request, according to the HTTP/1.12 https://tools.ietf.org/html/rfc4122.html3 Version 1 UUIDs are a combination of timestamp and hardware addresses: https://en.wikipedia.org/wiki/Universally unique identifier#Versions. The Security Considerations section in RFC 4122 warns not to “assume that UUIDs are hard to guess; theyshould not be used as security capabilities (identifiers whose mere possession grantsaccess), for example.”4 https://cloudconvert.com

Interface Quality PatternsAuthentication RFC 72355 specification. HTTP supports varioustypes of authentication, here the RFC 67506 Bearer type is used:POST https://api.cloudconvert.com/processAuthorization: Bearer gqmbwwB74tToo4YOPEsev5Content-Type: application/json{"inputformat": "docx","outputformat": "pdf"}The API provider can thus identify the client and charge theiraccount.Implementation hints. When securing an API with an API Key,the following advice should be taken into consideration: To further protect against brute force attackers trying toguess an API Key, an IP range-specific Rate Limit can be usedto block an attacker’s requests. Use a well-tested library and refrain from writing your owncryptography code. For example, Java has a Java Cryptography Extension that provides various widely used key generation algorithms. Follow the OWASP REST Security Cheat Sheet7 when securing your HTTP resource API. The cheat sheet contains asection on API Keys and contains other valuable informationon security as well. API Keys should not be presented as HTML/HTTP cookiesbecause cookies may be used to identify a user session andmight be stored for a long period of time. API Keys shouldalso be usable by non-browser clients such as Software Development Kits (SDKs) or command line tools that interactwith the API [7]. Client developers should not accidentally store their sharedsecrets (e.g., keys) in version control systems8 or other placeswhere others can get easy access to them (e.g., code repositories).Consequences. An API Key is a lightweight alternative to a fullfledged authentication protocol and balances basic security requirements with the desire to minimize management and communicationoverhead.Resolution of forces. Having the API Key as a shared secret between the API endpoint and the client, the endpoint can identify the clientmaking the call and use this information to further authenticate and authorize the client. Using a separate API Key instead of the customer’s accountcredentials decouples different customer roles, such as administration, business management, and API usage, fromeach other. This makes it possible to let the customer createand manage multiple API Keys, for example to be used indifferent client implementations or locations, with varying5 https://tools.ietf.org/html/rfc7235.html6 https://tools.ietf.org/html/rfc67507 https://www.owasp.org/index.php/REST Security Cheat Sheet8 Thishas actually happened: https://www.theregister.co.uk/2015/01/06/dev blundershows github crawling with keyslurping bots/.EuroPLoP ’18, July 4–8, 2018, Irsee, Germanypermissions associated to them. In the case of a securitybreak or leak, they can also be revoked independently ofthe client account. A provider might also give clients theoption to use multiple API Keys with different permissionsor provide analytics (e.g., number of API calls performed)and Rate Limits per API Key. Because the API Key is small, it can be included in eachrequest without impacting performance much. The API Key is a shared secret, and because it is transportedwith each request, it should only be used over a secure connection such as HTTPS. If this is not possible, additionalsecurity measures (VPN, public-key cryptography) must beused. Configuring and using secure protocols and other security measures has a certain configuration management andperformance overhead. An API Key is just a simple identifier and thus cannot beused to transport additional payload, such as an expirationtime or authorizations.Further discussion. An API Key can also be combined with anadditional secret key to ensure the integrity of requests. The secretkey is shared between the client and the server but never transmitted in API requests. The client uses this key to create a signaturehash of the request and sends the hash along with the API Key.The provider can identify the client with the provided API Key,calculate the same signature hash using the shared secret key andcompare the two. This ensures that the request was not tamperedwith. Amazon uses such asymmetric cryptography to secure accessto its Elastic Compute Cloud9 .Alternatives. Even if combined with a secret key, API Keys mightbe insufficient or impractical as the sole means of authentication andauthorization. Consider the case where three parties are involvedin an interaction: the user, the service provider and a third partythat wants to interact with the service provider on behalf of theuser. For example, consider a user who wants to allow a mobileapp to store its data on the user’s Dropbox account. In this caseAPI Keys cannot be used if the user does not want to share themwith the third party. For such use cases, consider using OAuth2.0 instead. Another security technology that could possibly beleveraged is the Security Assertion Markup Language (SAML)10 ,which can, for instance, be used in backend integration to securethe communication between backend APIs. These alternatives offerbetter security but also come with a much higher implementationand runtime complexity.Another popular alternative is the JSON Web Tokens (JWT)standard RFC 751911 (see this JWT Introduction12 ). JWT definesa simple message format for access tokens with a payload. Theaccess tokens are created and cryptographically signed by the APIprovider. Providers can verify the authenticity of such a token anduse it to identify clients. Because JWT tokens, in contrast to APIKeys, have a payload, the provider can securely store additionalinformation there.9 /ec2-key-pairs.html10 https://wiki.oasis-open.org/security/FrontPage11 https://tools.ietf.org/html/rfc751912 https://jwt.io/introduction

EuroPLoP ’18, July 4–8, 2018, Irsee, GermanyMirko Stocker, Olaf Zimmermann, Uwe Zdun, Daniel Lübke, and Cesare PautassoKnown Uses. Many public Web APIs use the API Key concept, sometimes under different names (such as access token). A few examplesare: The YouTube Data API13 supports both OAuth 2.0 as wellas API Keys. Clients have to generate different API Keys,depending on where these keys are used, e.g., server keys,browser keys, iOS and Android keys. These keys can thenonly be used by the configured apps (in case of the iOS andAndroid apps), IP addresses or domain names. This additionallayer of protection makes a specific key unusable outsideof the specified app. This is done to avoid that an attackercould, for example, simply extract the key from an installedAndroid application and use it to make requests on behalfof that application. The GitHub API’s primary means of authentication and authorization is OAuth, but basic authentication14 with a username and token – the API Key – is also supported. Here, theAPI Key is not sent via HTTP header but through the password parameter of the basic authentication. For example,a request to access the user resource using the cURL command line tool looks as follows: curl -u username:tokenhttps://api.github.com/user. The API of online payment provider Stripe15 uses a publishable key and a secret key. The secret key takes the role ofan API Key and is transmitted in the Authorization headerof each request, whereas the publishable key is just the account identifier. This naming scheme might be surprisingfor clients expecting the secret key to be kept private, likeAmazon’s secret key, which is never transmitted and onlyused to sign requests.Related Patterns. Many web servers use Session Identifiers [9] tomaintain and track user sessions across multiple requests; this is asimilar concept. In contrast to API Keys, Session Identifiers are onlyused for single sessions and then discarded.The Security Patterns in [18] provide solutions satisfying security requirements such as Confidentiality, Integrity, and Authentication/Authorization, and discusses their strengths and weaknessesin detail. Access control mechanisms, such as Role-based AccessControl (RBAC) or Attribute-based Access Control (ABAC), can complement API Keys and other approaches to authentication; theseaccess control practices require one of the described authenticationmechanisms to be in place.Other Sources. Chapter 12 of the RESTful Web Services Cookbook[1] is dedicated to security and presents six related recipes. [16]covers two related patterns of alternative authentication mechanismin a RESTful context, Basic Resource Authentication and Form-BasedResource Authentication.[19] provides a comprehensive discussion on securing APIs withOAuth 2.0, OpenID Connect, JWS, and JWE. Chapter 9 of [20]has a discussion of conceptual and technology alternatives andinstructions on how to implement an OAuth 2.0 server. The OpenID13 https://developers.google.com/youtube/registering an application14 tication15 https://stripe.com/docs/apiConnect16 specification deals with user identification on top of theOAuth 2.0 protocol.4.2Pattern: Wish Lista.k.a. Data Wish Enumeration, Partial Response RepresentationRequest, Data Selection ProfileContext. API providers need to serve multiple different clients thatinvoke the same operations. Not all clients have the same information needs: some might just need a subset of the data offered by theendpoint, other clients might need rich data sets.Problem. How can an API client inform the API provider at runtimeabout the data it is interested in?Forces. Multiple clients with different information needs might usean API. Hence, the primary design issues that drive selection andadoption of this pattern are: How can a provider satisfy the possibly conflicting information needs of individual clients without having to implement per-client endpoints but still avoiding under- andover-fetching? How can a client specify and learn about provider-side selection filters that reduce message verbosity by allowing clientsto select the level of detail of the retrieved information? How can a provider cope with the increased complexityof its endpoint d

The operations of an API can be invoked by a conversation. A conversation is any kind of exchange of messages (i.e., the conver-sation uses messages). For instance, a conversation can be a call conversation which usually uses a request message and a response message (unless the call is a one-way call which omits the response message).