Audio from this session is available at https://archive.org/details/rest_apis_with_oauth2 Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.

1. Securing RESTful Payment APIs
Using OAuth 2
Jonathan LeBlanc
Principal Developer Evangelist (PayPal)
Github: http://github.com/jcleblanc
Twitter: @jcleblanc

2. The Ultimate Decision
Security Usability

4. What a RESTful API isn’t
Our API is RESTful, we support GET,
PUT, POST, and DELETE requests
No…actually you just support
HTTP…like the rest of the web.

5. What a RESTful API is
Honor HTTP request verbs
Use proper HTTP status codes
No version numbering in URIs
Return format via HTTP Accept header
Double Rainbow: Discovery via HATEOAS

6. Does Anyone Actually Do That?
Very few APIs
follow pragmatic
REST principles

7. "links": [{
"href": "https://api.sandbox.paypal.com/v1/payments/
payment/PAY-6RV75EKEYSZ6Y",
"rel": "self",
"method": "GET"
},{
"href": "https://www.sandbox.paypal.com/webscr?
cmd=_express-checkout&token=EC-6019609",
"rel": "approval_url",
"method": "REDIRECT"
},{
"href": "https://api.sandbox.paypal.com/v1/payments/
payment/PAY-6RV75EKEYSZ6Y/execute",
"rel": "execute",
"method": "POST"
}
]

9. When You Need Access Security

10. A Few Different Flavors of Usage
User login (authentication)
User Involvement (authorization)
Application only (bearer tokens)

11. Our App Usage: Bearer Tokens

13. Making Your Definitions
<?php
define("CLIENT_ID", "YOUR CLIENT ID");
define("CLIENT_SECRET", "YOUR CLIENT SECRET");
define("URI_SANDBOX", "https://api.sandbox.paypal.com/v1/");
define("URI_LIVE", "https://api.paypal.com/v1/");
?>

14. class paypal{
private $access_token;
private $token_type;
public function __construct(){
$postvals = "grant_type=client_credentials";
$uri = URI_SANDBOX . "oauth2/token";
$auth_response = self::curl($uri, 'POST', $postvals, true);
$this->access_token = $auth_response['body']->access_token;
$this->token_type = $auth_response['body']->token_type;
}
…
}

15. private function curl($url, $method = 'GET', $postvals = null, $auth = false){
$ch = curl_init($url);
if ($auth){
$headers = array("Accept: application/json",
"Accept-Language: en_US");
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, CLIENT_ID . ":" .CLIENT_SECRET);
} else {
$headers = array("Content-Type:application/json",
"Authorization:{$this->token_type} {$this->access_token}");
}

16. $options = array(
CURLOPT_HEADER => true,
CURLINFO_HEADER_OUT => true,
CURLOPT_HTTPHEADER => $headers,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_VERBOSE => true,
CURLOPT_TIMEOUT => 10
);
if ($method == 'POST'){
$options[CURLOPT_POSTFIELDS] = $postvals;
$options[CURLOPT_CUSTOMREQUEST] = $method;
}
curl_setopt_array($ch, $options);
$response = curl_exec($ch);
return $response;
}

17. Making a Call with the Token
public function process_payment($request){
$postvals = $request;
$uri = URI_SANDBOX . "payments/payment";
return self::curl($uri, 'POST', $postvals);
}

18. The Last Considerations
REST and OAuth are specifications,
not religions
Don’t alienate your developers
with security
Open source is your friend

19. Thank You! Questions?
www.slideshare.com/jcleblanc
Jonathan LeBlanc
Principal Developer Evangelist (PayPal)
Github: http://github.com/jcleblanc
Twitter: @jcleblanc