Net API Notes for 2021/09/01 - Issue 173
Net API Notes is a regular, hand-curated digest of impactful news and analysis for busy API practitioners. Are you reading this on the web and not subscribed yet? Sign up today and be the first to get ad-free, actionable info delivered weekly to your inbox.
There's a hint of chill in the air, the trees are beginning to turn, and I'm Googling how to winterize the sprinkler system - it must be September! And time for some new Net API Notes!
NOTES
TOP OAUTH VULNERABILITIES
STRAT / DESIGN / DOC / DEV & TEST / DEPLOY / SECURITY
/ MONITOR / DISCOVERY
OAuth 2.0 was published as RFC 6749 nearly a decade ago. Despite this, companies continue to have difficulty implementing the standard. Part of this stems from OAuth's flexibility, which results in a variety of non-standard implementations. I might also argue that OAuth 2.0 is less secure than 1.0 because of it relies on SSL implementation to protect the requestor's access token rather than signatures.
Writing on the Nordic APIs blog, Gary Archer has a piece called "Top OAuth Client Vulnerabilities". He captures sixteen(!) different ways OAuth can go wrong.
With APIs becoming the leading attack vectors by malicious actors, I'd strongly encourage every API owner to check their practice against Gary's findings. Security is one area where all too many implementations could do better.
And while I'm talking about security, I also want to highlight Vickie Li's post on preventing SQL injection attacks through APIs. Not the same as poor OAuth implementation, but important nonetheless.
LONDON BOROUGH OF HACKNEY
STRAT / DESIGN / DOC
/ DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY
Many of us bemoan our local government's digital prowess. The London Borough of Hackney, however, is the exception to the rule. Hackney recently published their use case for "How Hackney Council Built an API Platform". It provides a compelling story on how a city government can transform and build modern digital experiences with APIs.
The entire effort is very well done. I tip my hat to all involved.
THE IMPORTANCE OF CONSISTENCY TO YOUR API DESIGN
STRAT / DESIGN
/ DOC / DEV & TEST / DEPLOY / SECURITY / MONITOR / DISCOVERY
Most readers of the Net API Notes will be familiar with the frequent highlighted man, Arnaud Lauret. Whether it is because of his book, The Design of Web APIs, or his blogging as the API Handyman, Arnaud is passionate about good API design.
His guest post on the Stoplight blog is no exception. Featuring a snippet from his book, the piece goes into depth on the importance of consistency to API design, consistency both internally and the landscape the API exists within.
If that wasn't enticing enough, the article features a code **for an additional 35% off your copy. It's too late for me. My copy occupies a position of privilege next to a genuine 1978 33-and-a-third RPM Star Wars record. But if you've been waffling, these are the droids deals you've been looking for.
MILESTONES
The end of August is always a bit slow. There were a few things on the periphery, but I'm skipping the milestones this week.
WRAPPING UP
I added a handful of new meetups to Net API Events. While meeting in person remains dicey due to new Covid-variants, several enterprising community leaders have moved their events online. The upshot is now anyone with an internet connection can sample the conversation anywhere it is happening. And if there is an event missing? Let me know, and I'll add it.
I also have a handful of pieces on my blog. There is "One Way To Improve API Guidance", "Three Approaches to API Governance", and 'Power-Over Strategies and How Reporting Can Backfire'. If you're involved at all with driving the direction of your API design practice within your org, check them out.
Finally, thanks to my Patreons. You are the reasons this newsletter is free of advertising, information selling, or paywalls. Thank you.
Till next time, Matthew
@libel_vox and matthewreinbold.com
While I work at Postman, the only place I've bothered to bedazzle my intranet profile, the opinions presented above are mine.