Managing API authorization

摘要

Multiple variants of an API can coexist through API management by using metadata in a pre-processing and post-processing system to weed out requests to which a client does not have permission and return parameters that do not belong with the API request variant. Metadata is added to request objects such that an instance of a request object may be examined to determine a request handler to properly inspect the request object and recommend further processing or rejection of the instance. Metadata may also be added to a response object created as a result of processing the request object such that a response handler may be identified to ensure the fields match the proper response to the request object. The API may be dynamically managed at the point of request and also at the point of return rather than a statically coded whitelist checked multiple times within the code itself.

主权项

1. A computer-implemented method for managing an Application Programming Interface (API) access, comprising:
maintaining, by one or more computer systems, a set of input parameters available to users of an application programming interface; receiving, from a client, a variant of a request through the application programming interface, the variant of the request including a subset of the set of input parameters, the application programming interface supporting multiple variants of the request; constructing a request object based at least in part on the variant of the request, the request object having a first metadata dynamically indicating a pre-processor to invoke before processing the request; invoking the indicated pre-processor, the pre-processor configured to determine if the client has permission to use the subset of the set of input parameters included in the variant of the request; when the pre-processor determines that the client has permission to use the subset of the set of input parameters included in the variant of the request: processing, by the one or more computer systems, the request object to form a return object based at least in part on the variant of the request and a plurality of authorization-controlled fields, the return object having a second metadata and a plurality of return fields and indicating a post-processor to invoke before processing the request, wherein the return object is formed based on the request object upon determining that each parameter of the set of input parameters is authorized; invoking the indicated post-processor based at least in part of second metadata, the post-processor configured to process the plurality of return fields in accordance with the variant of the request; communicating the plurality of return fields to the client; and when the pre-processor determines that the client lacks permission to use the variant of the request, rejecting the variant of the request that is properly formed but lacking permission as if the variant of the request were improperly formed.