Standards and guidelines that apply to all TIER APIs
Category | Description of guideline/standard | Constraints/exceptions | Supporting work/issues/resources |
---|---|---|---|
Relation to SCIM | RFC 7642, SCIM Definitions, Overview, Concepts, and Requirements | ||
API operations | For all SCIM 2 API operations that are useful in TIER, follow the SCIM protocol as defined in RFC 7644 | Some APIs, including the IdMatch API (for identity de-duplication and reconciliation), do not fit well in the SCIM design space. |
|
Resource Types and Schema | Relationship of RFC 7643 SCIM-defined Schema and Resource Types to TIER Schema and Resource Types. |
| On making schema compliant and extensible, see: |
Requests | |||
HTTP verbs | Customary definition of HTTP verbs (e.g., GET, PUT, POST, DELETE) will be followed. | In some cases it will be necessary to specify different nuances in different contexts. | See: https://www.ietf.org/rfc/rfc2616.txt |
URI syntax | Follow REST conventions | As one example, the major version of the client is included in the URL path, e.g.: https://groups.institution.edu/tierServer/v1/Groups | |
Resource (URI) syntax | Resource reference syntax |
| |
Resource instance references | Resource instances can be referred to in various ways without having to do superfluous look-ups. Resource instances should have a primary identifier. This identifier should not change. Therefore it should be opaque to allow for renames. Resource instances can be referred to by other unique identifiers as well. Unique identifiers that are not the primary identifier can change. Prefixes on Resource instance identifier values specify the type of identifier that follows |
Examples: URL of user by opaque id: https://entities.institution.edu/users/id:1234567 URL of user by netid: https://entities.institution.edu/people/netId:jmith URL of groups for a user by eppn: https://entities.institution.edu/people/eppn:jsmith@institution.edu/groups URL to determine if Person p is in a Group g https://entities.institution.edu/groups/name:edu:institution:community:employees |
|
Searches and queries | Filtering syntax for searches and queries follows SCIM RFC 7644, section 3.4.2.2 | TIER defined prefixes causing problems - JIRA issue | |
Pagination | Follow SCIM RFC 7644, section 3.4.2.4 on pagination | Dynamic objects impact reliability. | |
Parameter passing and name/value syntax | Parameters can be passed to resource requests in the body of the POST or as URL parameters (e.g. ?paramName=paramValue) |
| |
Responses | |||
Response format | JSON |
| |
Response content | Representations (such as users, groups) |
| Example of representation of user in response: https://spaces.at.internet2.edu/display/DSAWG /TIER+API+SCIM+group+member |
Metadata | Standardized elements of response metadata | SCIM Resources with TIER schema extensions will have "meta" elements in both the core SCIM representation and also in the TIER extension representation. To preserve consistency for developers, TIER Resources will have the same. | JIRA issue |
Response codes | HTTP response codes will not be overridden but enriched | HTTP response codes are not entirely unambiguous with respect TIER response codes should be capital letters (could have numbers) where words are separated by underscores. Successful response codes should start with SUCCESS (or be equal to SUCCESS. Unsuccessful response codes should start with ERROR
|
|
TIER HTTP headers |
| Headers should be named: X-TIER-SomeName where the last string is Pascal case Related to numbered items in preceding column: 1) "true" means the TIER API server successfully handled the request. Even if the response is false there might be a body to parse Generally this is implemented on the server with exception handling. If there is an exception and any database transactions are rolled back then the response is false. Note that there will be cases where looking up a resource the HTTP status code might be 404 but X-TIER-success is still true. If a batched request is partially successful then this response code should be true if it can be returned. The body should give details about the failure. 2) There should only be a handful of valid response codes for a given request resource and HTTP method | |
Securing APIs | |||
HTTPS | |||
Techniques for securing API operations are currently external to the API. | Future versions of this guideline are likely to be more prescriptive. Possible authentication methods include HTTP Basic over TLS, SSL client authentication, OAuth 2, and OpenID Connect. If the request requires authentication and none is sent, a 401 HTTP status code will be returned. In such cases, there might be no TIER headers since headers since this response could be sent by the web server, bypassing the TIER component entirely. Need to collect and document methods for securing APIs that we (the TEIR development community) uses | Assumes the value of the authenticated identity is passed in the API call | |
API specification | |||
Swagger specification and compliant tools. | The normative specification for TIER APIs and Schema will be expressed as Swagger 2 |
|
Meta
Each response should have a "meta" attribute with the following structure. Note, some error conditions will prevent this attribute from being sent back. See the SCIM definition
Field | Type | Required | Description |
---|---|---|---|
resourceType | String | true | The name of the resource type of the resource. This attribute has a mutability of "readOnly" and "caseExact" as "true". e.g. for groups it is "Group" |
created | DateTime | false | The "DateTime" that the resource was added to the service provider |
lastModified | DateTime | false | The most recent DateTime that the details of this resource were updated at the service provider. If this |
location | String URI | true | The URI of the resource being returned. This value MUST be the same as the "Content-Location" HTTP response header (see Section 3.1.4.2 of [RFC7231]). |
version | String | false | The version of the resource being returned. This value must be the same as the entity-tag (ETag) HTTP response header (see Sections 2.1 and 2.3 of [RFC7232]). This attribute has "caseExact" as "true". Service provider support for this attribute is optional and subject to the service provider's support for versioning (see Section 3.14 of [RFC7644]). If a service provider provides "version" (entity-tag) for a representation and the generation of that entity-tag does not satisfy all of the characteristics of a strong validator (see Section 2.1 of [RFC7232]), then the origin server MUST mark the "version" (entity-tag) as weak by prefixing its opaque value with "W/" (case sensitive). |
tierCanonicalLocation | String URI | false | If this response refers to another object, that URI is specified here. For example if you are requesting /Groups/id/Members/id, the response is a User or Group or System, and the canonical location would be the Group or User or System URI |
tierSuccess | boolean | true | Same value as X-TIER-success |
tierServiceRootUrl | String URI | true | The root URI for TIER API calls: https://entities.institution.edu/ |
tierServerVersion | String | true | Same version as URL though could have a build number on end after dot: e.g. v1.123 |
tierResultCode | String | true | Same value as X-TIER-resultCode, e.g. SUCCESS |
tierRequestId | String | true | Same value as X-TIER-requestId |
tierResponseDurationMillis | int | false | Same value as X-TIER-responseDurationMillis |
tierErrorMessage | String | false | If this is an error this can hold the free form error message |
tierHttpStatusCode | int | true | http status code of the response |
tierWarning | String | false | free form warnings for example if superfluous params were sent |
tierDebugMessage | String | false | could be sent to give debug info for this request |
Common invalid requests
Any resource/method that has these situations should use these common error codes
TIER result code | HTTP response code | Success? | Request description |
---|---|---|---|
ERROR_METHOD_NOT_AVAILABLE | 405 | false | Method that is not available for a resource |
ERROR_PAGING_INVALID | 400 | false | If paging is not sent in correctly |
ERROR_MULTIPLE_PARAMS | 400 | false | If multiple request parameters were sent when one was expected |
ERROR_INVALID_REQUEST_BODY | 400 | false | If a body was sent in the request and not expected |
ERROR_ID_EXPECTED | 400 | false | If an ID of a resource was expected and not sent in, e.g. if deleting a group but the group ID was not specified. |
ERROR_INVALID_PATH | 404 | false | If too many URL strings are passed in. e.g. if this GETs a group: /Groups/id:abc, then this would generate this response error: /Groups/id:abc/something. Similarly, if a path element has an invalid path (e.g. if the format of an ID in the path is not correct), this the same condition. If a misspelled or mistaken path element is specified (e.g. /Gruops ) then this is the same condition. Note: if the path is valid but the resource is not found (e.g. cant find the group), then a more specific TIER result code should be used. |
ERROR_INVALID_PARAM | 400 | false | If a parameter required a specific format or list of values and is invalid. Note, if a more specific ERROR_ result code is desired that could be used instead |
ERROR_NOT_AUTHORIZED | 403 | false | If the resource exists but it not allowed to be read / updated / inserted / deleted by the authenticated user |
ERROR_EXCEPTION | 500 | false | If an unexpected exception was thrown |
Misc
Common parameters
Parameter name | Values | Description |
---|---|---|
indent | true|false | if the output should be formatted to be easy to read ("pretty print") |
Event Message Standards and Guidelines
Category | Description of guideline/standard | Constraints/exceptions | Supporting work/issues/resources |
---|---|---|---|
Message Payload | |||
Message payloads must contain a resolvable reference to a representation of the current state of the resource in question or the resource representation itself | |||
The representation of a given resource must be the same whether obtained via Messaging or via API | |||
Standard metadata must accompany each message payload | |||
Configuration | |||
Explicitly declare supported guarantees for use as needed: One-time delivery; At least one-time delivery; Order preserved, etc. | |||
... |
Archive: Numbered list of standards and guidelines for RESTful APIs in TIER
Archived Comments