REST API Notes for 2018-07-12
This week is light on links but heavy on thought. Let's get into it.
THE WEEK'S HIGHLIGHTS
GOODBYE MICROSERVICES
This past week, Alexandra Noonan published a blog post entitled, "Goodbye Microservices". It goes into a great amount of detail on the architecture of their message systems pre, during, and post microservice architecture.
The mention of a shared library (and thus the introduction of an inter-service dependency) struck me as odd. Another was the assumption that each new integration automatically warranted its own microservice. And I'm curious as to why the first step wasn't a two queue system, rather than fifty+; one where new messages go to a primary queue and retry events go to a second, dedicated process.
That said, I vigorously admit I'm on the outside and my impressions are based on scanning the post for a few minutes. It's clear there is a high degree of technical competence among the team. My conclusions lead me to believe that I don't have all the details, rather than the team being at fault.
At the beginning of this year, I discussed how I saw sentiment souring. Microservices are complex and this year is when many shops are pushing past theory. Just like having an open flour plan doesn't mean you're doing devops, "doing microservices" doesn't mean you instantly get sustainable software modularity.
I expect more of these 'tales from the trenches' to come.
A DEFENSE OF OAUTH 1.0
Spotted by Google's Marsh Gardiner, Mastercard has an interesting blog post about why they prefer OAuth 1.0 to 2.0. Written by Paul Matthews, it provides an interesting counter-argument to a debate that most (probably) thought settled.
At the heart of it, OAuth's version number is an unfortunate label. With software, we're conditioned to assume '2.0' is better, an upgrade, over '1.0'. The truth is that they're actually mutually exclusive systems. To grossly oversimplify, OAuth 1.0 is securely hashed based and OAuth 2.0 an interplay of token exchanges to enable authorization among two or more parties.
Eran Hammer, a co-creator of the OAuth 1.0 standard, has spoken in great (and colorful) detail about his disappointment of OAuth 2.0 in the past (the video is circa 2012. That spite beget Hawk, which is interesting but, despite being frequently updated, I don't know how widely adopted it is. Some of the ideas behind both OAuth 1.0 and Hawk are present in the more recent TAuth.
But kudos to Mastercard for succinctly outlining their position. It is important for developers to hear these kinds of stories to make more informed positions.
MILESTONES
This week I've got some industry quick takes nearly as hot as the July summer heat!
- Broadcom to buy CA Technologies for $19 Billion. Broadcom, a chip maker that failed to buy industry rival, Qualcomm earlier this year, is now getting into the software space. It is notable because CA Technologies (formerly CA, Inc.) purchased API Management company Layer 7 in 2013. That deal sustained the API Academy, the home for a tremendous amount of API thought leadership that we know and love today. I'm glad I'm not the only one that had a bit a Déjà vu (cough Intel buying Mashery cough). Head buckaroo Matt McLarty has a roundup of the most important bits.
- Speaking of the API Academy, they just launched a spiffy new site redesign.
- Amazon API Gateway now allows for private endpoints (connect to Lambda functions over HTTP within your own VPC)
- RESTFest Midwest videos are now online and available for viewing
- Ping Identity acquires ElasticBeam to build New API Security Solution
WRAPPING UP
Looking to meet, in person, with like minds? Check out webapi.events. And if you have an upcoming Web API gathering somewhere on earth, let me know - I'd be glad to add it.
And if you're interested in kicking in for the caffeine that helps make these updates possible, check out my Patreon page.
Thanks for reading. Till next time, Matthew