SlideShare a Scribd company logo

Securing RESTful APIs using OAuth 2 and OpenID Connect

Download as PPTX, PDF
Jonathan LeBlanc, profile picture
Jonathan LeBlanc

The document outlines the importance of securing RESTful APIs using OAuth 2.0 and OpenID Connect, highlighting the risks related to poor password choices among users. It details key components of API requests, authentication methods, attack vectors, and practical implementation steps for accessing secure resources. The conclusion emphasizes that REST and OAuth are specifications rather than strict rules, and encourages developers to adopt open-source tools and security measures without compromising usability.

Technology
1 of 34
Downloaded 58 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal
Why do we Need This?
Poor Password Choices • 4.7% of users have the password password; • 8.5% have the passwords password or 123456; • 9.8% have the passwords password, 123456 or 12345678; • 14% have a password from the top 10 passwords • 40% have a password from the top 100 passwords • 79% have a password from the top 500 passwords • 91% have a password from the top 1000 passwords
…And of What’s Left 1. Pet’s name 2. Significant dates (like a wedding anniversary) 3. Date of birth of close relation 4. Child’s name 5. Other family member’s name 6. Place of birth 7. Favorite holiday 8. Something related to favorite football team 9. Current partner’s name
Handing Over Account Passwords
Malicious Applications
Aspects of Revocation
App Revoked by User App Revoked by Service Provider
Path to the Standard
Username & Password to Auth
Rise of the Token
Two Widely Used Specifications
REST Request Components
How Requests are Made curl -v https://api.sandbox.paypal.com/v1/payments/payme nt -H "Content-Type:application/json" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
How Auth is Added in curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization: Bearer {accessToken}" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
Attack Vectors Man in the Middle Replay Attacks Cross-Site Request Forgery (CSRF)
Adding in the Auth
Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
When You Need Access Security
User Login (authentication) User Involvement (authorization) Application Only (monitoring)
Practical Implementation
Redirect the User to Log In Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id grant_type client_secret code HTTP POST Access Token Endpoint
Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…" -d "grant_type=client_credentials"
Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" -d "{...}"
Maintaining SDK Consistency
Defining APIs with WADL / WSDL
<?xml version="1.0" encoding="UTF-8"?> <description xmlns="http://www.w3.org/ns/wsdl" ...> <types> … </types> <interface name="Interface1"> … </interface> <binding name="HttpBinding" interface="tns:Interface1”> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" …> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service> </description>
<?xml version="1.0"?> <application xmlns:xsi=…> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>
Genio (templates) https://github.com/paypal/genio Genio Parser (model builder) https://github.com/paypal/genio-parser Genio Samples https://github.com/paypal/genio-sample Building SDKs Automatically
Final Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal

More Related Content

PPTX
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
PDF
Facebook data breach and OAuth2
Leonard Moustacchis
 
PPT
Security 101
George V. Reilly
 
PPTX
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
PDF
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
PPTX
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
 
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
Facebook data breach and OAuth2
Leonard Moustacchis
 
Security 101
George V. Reilly
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Manish Pandit
 
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
OAuth2 + API Security
Amila Paranawithana
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Securing RESTful Payment APIs Using OAuth 2
Jonathan LeBlanc
 

What's hot (20)

PDF
Pentesting RESTful webservices
Mohammed A. Imran
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
PDF
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
PDF
Owasp eee 2015 csrf
Aurelijus Stanislovaitis
 
PDF
OAuth Tokens
n|u - The Open Security Community
 
ODP
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
PPTX
A simple PHP LinkedIn OAuth 2.0 example
Mattia Reggiani
 
PPTX
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
PPTX
Secure Code Warrior - Issues with origins
Secure Code Warrior
 
PPTX
Owasp web security
Pankaj Kumar Sharma
 
PPTX
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
PDF
Top 10 Web App Security Risks
Sperasoft
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PPTX
Token Authentication for Java Applications
Stormpath
 
PPTX
Transient client secret extension
Nat Sakimura
 
PPTX
O auth2.0 20141003
Syed Ali Raza
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PDF
How to authenticate users in your apps using FI-WARE Account - Introduction
Javier Cerviño
 
PPT
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
Pentesting RESTful webservices
Mohammed A. Imran
 
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
CIS14: OAuth and OpenID Connect in Action
CloudIDSummit
 
Owasp eee 2015 csrf
Aurelijus Stanislovaitis
 
OAuth Tokens
n|u - The Open Security Community
 
Mohanraj - Securing Your Web Api With OAuth
fossmy
 
A simple PHP LinkedIn OAuth 2.0 example
Mattia Reggiani
 
Best Practices in Building an API Security Ecosystem
Prabath Siriwardena
 
Secure Code Warrior - Issues with origins
Secure Code Warrior
 
Owasp web security
Pankaj Kumar Sharma
 
Oauth2 and OWSM OAuth2 support
Gaurav Sharma
 
Top 10 Web App Security Risks
Sperasoft
 
Single-Page-Application & REST security
Igor Bossenko
 
An Introduction to OAuth2
Aaron Parecki
 
Token Authentication for Java Applications
Stormpath
 
Transient client secret extension
Nat Sakimura
 
O auth2.0 20141003
Syed Ali Raza
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
How to authenticate users in your apps using FI-WARE Account - Introduction
Javier Cerviño
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Manish Pandit
 
Ad

Viewers also liked (6)

PPTX
The Upheaval of Open Commerce
Jonathan LeBlanc
 
PPTX
Patologia benigna de estomago
andrexcordoba
 
PPTX
Building on Social Application Platforms
Jonathan LeBlanc
 
PPTX
Facebook for the Floundering
Lesley Miller
 
PDF
OAuth2 and LinkedIn
Kamyar Mohager
 
PDF
Salem State College's Employee Handbook
Martha White
 
The Upheaval of Open Commerce
Jonathan LeBlanc
 
Patologia benigna de estomago
andrexcordoba
 
Building on Social Application Platforms
Jonathan LeBlanc
 
Facebook for the Floundering
Lesley Miller
 
OAuth2 and LinkedIn
Kamyar Mohager
 
Salem State College's Employee Handbook
Martha White
 
Ad

Similar to Securing RESTful APIs using OAuth 2 and OpenID Connect (20)

PDF
REST API Authentication Methods.pdf
Rubersy Ramos García
 
PPTX
Designing JavaScript APIs
Jonathan LeBlanc
 
PDF
Securing APIs with OAuth 2.0
Kai Hofstetter
 
PPTX
Securing APIs using OAuth 2.0
Adam Lewis
 
PPT
Securing RESTful API
Muhammad Zbeedat
 
PDF
API Security In Cloud Native Era
WSO2
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
PDF
OAuth Base Camp
Oliver Pfaff
 
PDF
Understanding Authentication and Authorization in RESTful API: A Comprehensiv...
Institute
 
PPTX
Secure RESTful API Automation With JavaScript
Jonathan LeBlanc
 
PDF
Open Identity - getting to know your users
PayPal
 
PDF
Authentication and authorization in res tful infrastructures
Corley S.r.l.
 
PPTX
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
PDF
PayPal Access GDG DevFest
PayPal
 
PDF
O auth2.0 guide
Dilip Mohapatra
 
PPTX
Id fiware upm-dit
Joaquín Salvachúa
 
PDF
Beyond API Authorization
Jared Hanson
 
PPTX
OAuth
Adi Challa
 
PDF
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
PDF
Saadhvi Summit - oAuth Standards
Nirmal Kumar
 
REST API Authentication Methods.pdf
Rubersy Ramos García
 
Designing JavaScript APIs
Jonathan LeBlanc
 
Securing APIs with OAuth 2.0
Kai Hofstetter
 
Securing APIs using OAuth 2.0
Adam Lewis
 
Securing RESTful API
Muhammad Zbeedat
 
API Security In Cloud Native Era
WSO2
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
OAuth Base Camp
Oliver Pfaff
 
Understanding Authentication and Authorization in RESTful API: A Comprehensiv...
Institute
 
Secure RESTful API Automation With JavaScript
Jonathan LeBlanc
 
Open Identity - getting to know your users
PayPal
 
Authentication and authorization in res tful infrastructures
Corley S.r.l.
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Mads Toustrup-Lønne
 
PayPal Access GDG DevFest
PayPal
 
O auth2.0 guide
Dilip Mohapatra
 
Id fiware upm-dit
Joaquín Salvachúa
 
Beyond API Authorization
Jared Hanson
 
OAuth
Adi Challa
 
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
Saadhvi Summit - oAuth Standards
Nirmal Kumar
 

More from Jonathan LeBlanc (20)

PDF
JavaScript App Security: Auth and Identity on the Client
Jonathan LeBlanc
 
PDF
Improving Developer Onboarding Through Intelligent Data Insights
Jonathan LeBlanc
 
PDF
Better Data with Machine Learning and Serverless
Jonathan LeBlanc
 
PPTX
Best Practices for Application Development with Box
Jonathan LeBlanc
 
PPTX
Box Platform Overview
Jonathan LeBlanc
 
PPTX
Box Platform Developer Workshop
Jonathan LeBlanc
 
PPTX
Modern Cloud Data Security Practices
Jonathan LeBlanc
 
PPTX
Box Authentication Types
Jonathan LeBlanc
 
PPTX
Understanding Box UI Elements
Jonathan LeBlanc
 
PPTX
Understanding Box applications, tokens, and scoping
Jonathan LeBlanc
 
PPTX
The Future of Online Money: Creating Secure Payments Globally
Jonathan LeBlanc
 
PDF
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
PPTX
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc
 
PDF
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
PDF
Node.js Authentication and Data Security
Jonathan LeBlanc
 
PDF
PHP Identity and Data Security
Jonathan LeBlanc
 
PPTX
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
PPTX
Future of Identity, Data, and Wearable Security
Jonathan LeBlanc
 
JavaScript App Security: Auth and Identity on the Client
Jonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
Jonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Jonathan LeBlanc
 
Best Practices for Application Development with Box
Jonathan LeBlanc
 
Box Platform Overview
Jonathan LeBlanc
 
Box Platform Developer Workshop
Jonathan LeBlanc
 
Modern Cloud Data Security Practices
Jonathan LeBlanc
 
Box Authentication Types
Jonathan LeBlanc
 
Understanding Box UI Elements
Jonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Jonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
Jonathan LeBlanc
 
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Node.js Authentication and Data Security
Jonathan LeBlanc
 
PHP Identity and Data Security
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Protecting the Future of Mobile Payments
Jonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Jonathan LeBlanc
 

Recently uploaded (20)

PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Cloud computing and distributed systems.
kkkkkhan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Teaching material agriculture food technology
LiaRayya
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Securing RESTful APIs using OAuth 2 and OpenID Connect

  • 1. Securing RESTful APIs Using OAuth 2 and OpenID Connect Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal
  • 2. Why do we Need This?
  • 3. Poor Password Choices • 4.7% of users have the password password; • 8.5% have the passwords password or 123456; • 9.8% have the passwords password, 123456 or 12345678; • 14% have a password from the top 10 passwords • 40% have a password from the top 100 passwords • 79% have a password from the top 500 passwords • 91% have a password from the top 1000 passwords
  • 4. …And of What’s Left 1. Pet’s name 2. Significant dates (like a wedding anniversary) 3. Date of birth of close relation 4. Child’s name 5. Other family member’s name 6. Place of birth 7. Favorite holiday 8. Something related to favorite football team 9. Current partner’s name
  • 8. App Revoked by User App Revoked by Service Provider
  • 9. Path to the Standard
  • 11. Rise of the Token
  • 12. Two Widely Used Specifications
  • 14. How Requests are Made curl -v https://api.sandbox.paypal.com/v1/payments/payme nt -H "Content-Type:application/json" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
  • 15. How Auth is Added in curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization: Bearer {accessToken}" -d '{ "intent": "sale", "payer": { ... }, "transactions": [{ "amount": { ... } }] }'
  • 16. Attack Vectors Man in the Middle Replay Attacks Cross-Site Request Forgery (CSRF)
  • 18. Reasons for Auth Rate Limiting and Attack Vector Protection Having the ability to revoke application access Needing to allow users to revoke an applications access to their data
  • 19. When You Need Access Security
  • 22. Redirect the User to Log In Prepare the Redirect URI Authorization Endpoint client_id response_type (token) scope redirect_uri Browser Redirect Redirect URI
  • 23. Fetching the Access Token Fetch the Access Token Access Token Endpoint client_id grant_type client_secret code HTTP POST Access Token Endpoint
  • 24. Fetching the Access Token curl https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "EOJ2S-Z6OoN_le_K:S1d75wsZ6y0SFd…" -d "grant_type=client_credentials"
  • 25. Access Token Response { "scope": "https://api.paypal.com/v1/payments/.* https://api.paypal.com/v1/vault/credit-card", "access_token": "EEwJ6tF9x5WCIZDYzyZGaz6K…", "token_type": "Bearer", "app_id": "APP-6XR95014SS315863X", "expires_in": 28800 }
  • 26. Using the Access Token Fetch Privileged Resources Resource Endpoint Token Type (Authorization header) Access Token (Authorization header) HTTP GET / PUT / POST / DELETE Resource Endpoint
  • 27. Using the Access Token curl -v https://api.sandbox.paypal.com/v1/payments/payment -H "Content-Type:application/json" -H "Authorization:Bearer EMxItHE7Zl4cMdkv…" -d "{...}"
  • 29. Defining APIs with WADL / WSDL
  • 30. <?xml version="1.0" encoding="UTF-8"?> <description xmlns="http://www.w3.org/ns/wsdl" ...> <types> … </types> <interface name="Interface1"> … </interface> <binding name="HttpBinding" interface="tns:Interface1”> <operation ref="tns:Get" whttp:method="GET"/> </binding> <binding name="SoapBinding" interface="tns:Interface1" …> <operation ref="tns:Get" /> </binding> <service name="Service1" interface="tns:Interface1"> <endpoint name="HttpEndpoint" binding="tns:HttpBinding" address="http://www.example.com/rest/"/> <endpoint name="SoapEndpoint" binding="tns:SoapBinding" address="http://www.example.com/soap/"/> </service> </description>
  • 31. <?xml version="1.0"?> <application xmlns:xsi=…> <grammars> <include href="NewsSearchResponse.xsd"/> <include href="Error.xsd"/> </grammars> <resources base="http://api.search.yahoo.com/NewsSearchService/V1/"> <resource path="newsSearch"> <method name="GET" id="search"> <request> <param name="appid" type="xsd:string" required="true"/> <param name="query" type="xsd:string" required="true"/> </request> <response status="400"> <representation mediaType="application/xml" element="ya:Error"/> </response> </method> </resource> </resources> </application>
  • 32. Genio (templates) https://github.com/paypal/genio Genio Parser (model builder) https://github.com/paypal/genio-parser Genio Samples https://github.com/paypal/genio-sample Building SDKs Automatically
  • 33. Final Considerations REST and OAuth are specifications, not religions Don’t alienate your developers with security Open source is your friend
  • 34. Thank You! Questions? http://slideshare.net/jcleblanc Jonathan LeBlanc (@jcleblanc) Global Head of Developer Evangelism at PayPal