Re: Technical Review of WebAppSec Credential Management API [2/3] (was Re: Overlap with Credentials/Web Payments CG)

On 04/14/2015 11:59 AM, David Ezell wrote:
> And again:
>> I don't expect anyone's first choice for a credentials API to be one where you must ask for a
>> "BetterCredential" object that has the real credentials API on it.
> +1 again.  It might be that our ideas about APIs are a little too one-dimensional.
> The book "RESTful Web APIs" (Richardson, Ammundsen, and Ruby) talks at some length about:
> 1) Human Driven Clients
> 2) Automated Clients
> And makes some assertions about both of these.  (One very interesting point is the importance of rendering Hypermedia Controls faithfully to allow Accessibility; we need to think about this going forward but it's a digression for now.)  Automated clients "carry out simple preprogrammed rulesets that hopefully help them reach some predefined goal."  They list several kinds of such automated clients (crawler, monitor, script, agent) that can be used to accomplish the goals.
> The above is only an example.  The point is that object polymorphism is not the only way to solve a complex API problem.  Properly constructed metadata (hypermedia) can give concrete "hints" about how to proceed, and moves ultimate control from inside the API "event horizon" to the outside.  Smarter people than me will have to figure out how to make this work - exciting to contemplate.

+1, object oriented programming/polymorphism isn't always the best way 
to solve a problem and we shouldn't think that you can always "just 
extend the base class" to solve any problem with ease. We also do 
prefer, I believe, credential extensibility to occur outside of the API, 
not within it (ie: use Linked Data).

Dave Longley
Digital Bazaar, Inc.

Received on Tuesday, 14 April 2015 16:12:03 UTC