1. https://appdevelopermagazine.com/iot
  2. https://appdevelopermagazine.com/top-5-tips-for-restful-apis-and-closing-the-loop-on-oauth2.0/
5/8/2015 9:31:20 AM
Top 5 Tips for RESTful APIs and Closing the Loop on OAuth2.0
IoT,RESTful API,OAuth2.0,Access Token,C++Builder
App Developer Magazine
Top 5 Tips for RESTful APIs and Closing the Loop on OAuth2.0


Top 5 Tips for RESTful APIs and Closing the Loop on OAuth2.0

Friday, May 8, 2015

Brian Alexakis Brian Alexakis

Many of the devices and gadgets that comprise the Internet of Things require that end users sync data to cloud services via a 1st party app. End user data is then exposed to developers over a RESTful API from the hardware vendor cloud services. It is up to each vendor to implement the OAuth2 protocol and define their own RESTful API for their service and as such there is no single solution for how to connect, authorize, and eventually consume end user data.

This top five list is to help equip you with the tools and knowledge needed to analyze how a vendor implements OAuth2.0, how to interface with RESTful APIs, and ultimately gain access to end user data.

#5 - Definitions of OAuth2.0 Authorization Framework

The OAuth2.0 Authorization Framework spec is defined by the IETF in RFC 6749. The goal of OAuth2.0 is to decouple resource owner (end user) credentials from their resources (end user data). A separate set of credentials are supplied by the resource server (vendor cloud services) to the client (3rd party application) which grants access to resources. This effectively enables 3rd party apps to access end user data without having to store their user name and password.

All OAuth transactions occur over HTTP.

Within the context of IoT vendors, OAuth2.0 defines four roles as such:

resource owner
This represents the end-user that uses a 1st party app to sync IoT data to a vendor’s cloud service. The vendor cloud service must then provide a mechanism for the resource owner to grant access to a protected resource. This is typically done through the vendor’s web portal login gateway.

resource server
A vendor cloud service that is capable of identifying and processing valid access tokens in exchange for access to a protected resource. A protected resource will typically be end user data that represents sensor or other data collected by IoT gadgets and devices.

This is the application a 3rd party developer will create that will ultimately consume end-user data (protected resource) on behalf of the end user (resource owner). This application can live as a desktop app, mobile app, middleware, other enterprise services, or even on a Thing itself.

authorization server
The vendor cloud service that is capable of issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

An access token is defined by the RFC 6749 standard as: "a string denoting a specific scope, lifetime, and other access attributes. Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server."

#4 Protocol Flow - Obtaining Access Token

One way for the resource owner (end-user) to provide authorization to the app is to use the Web Browser Component which allows input of username and password to the resource server (vendor cloud service). For a working example of this process, see my blog post on consuming the MISFIT REST API.

In order to access a protected resource, the client must include an access token as part of the RESTful API call. The following steps are a generic outline for obtaining a valid access token as defined by the RFC 6749 standard.

A. The client requests authorization from the resource owner. The authorization request can be made directly to the resource owner or preferably indirectly via the authorization server as an intermediary.

B. The client receives an authorization grant, which is a credential representing the resource owner's authorization, expressed using one of four grant types defined in this specification or using an extension grant type. The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server.

C. The client requests an access token by authenticating with the authorization server and presenting the authorization grant.

D. The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token.

E. The client requests the protected resource from the resource server and authenticates by presenting the access token.

F. The resource server validates the access token, and if valid, serves the request.

#3 Locally Store Access Token

Once a valid access token is obtained, it is a good idea to save that access token to the protected internal storage of the client device. Working with INI files to store access tokens has the advantage of streamlining the reading and writing of data using the TIniFile class. Using an INI file helps avoid having to acquire a new access token every time the client application runs.

Before using a stored access token to make a RESTful API calls to obtain a protected resource, first make a test call to ensure that the token is still valid. If it is not valid, the client application should re-initiate the access token request process and then update the validated access token in the INI file.

Embarcadero Technologies RAD Studio XE8 streamlines loading and deploying files via the System.IOUtils unit which makes creating, updating, and deleting INI files very straight forward for both Object Pascal and C++.

Take care to not store the INI file in a publicly addressable or shared file space on the client device. On Android, for example, the INI file should be placed in assets\internal.
In C++, a handle to the file can be obtained.

IniFilePath = System::Ioutils::TPath::Combine(
System::Ioutils::TPath::GetDocumentsPath(), "vendor_service.ini");

Ini = new TIniFile(IniFilePath);

Once a handle to the INI file is obtained the contents can be queried.

AccessToken = Ini->ReadString( "VendorServiceName", "accessToken", "" );

Once a valid access token is obtained you are ready to make calls to a RESTful API service.

#2 Use the Embarcadero REST Debugger and REST Components for RESTful API Calls

The REST Debugger is built on top of the REST Library, which is a framework for accessing REST-based web services (REST stands for Representational State Transfer). 

The REST Debugger allows developers to make ad hoc RESTful API calls and easily spelunk through any returned JSON blobs. The REST Debugger is capable of generating REST components which can be directly copy and pasted into the RAD Studio XE8 IDE. This is a very convenient, fast, and powerful approach to prototype and build REST integration and tie in functionality with your application.

Here is a great collection of learning resources pertaining to the REST Debugger and Rest Components from Embarcadero Technologies.

There are also a number of blog entries and videos that dive into the details of using both the REST Debugger and the REST Client Library:

#1 Use a Middleware Solution to Aggregate Data

Vast amounts of data are being generated by IoT gadgets and devices which creates opportunities for new and meaningful kinds of analytics. IoT data analytics creates a new revenue stream for the vendor. Even though end user data (protected resources) is made open and available over RESTful API calls, the access can be limited.

When it comes to consuming a protected resource, not all vendors will expose end user data in the same way. Some will have rate limits to the number of RESTful API calls and others will restrict the date range allowing queries to only go back, for example, 30 days.
This can cause problems to client applications that need to have robust access to end user data. Limitations placed by the vendor on RESTful API calls can completely break the deep functionality desired by a client application. To help solve this problem, and to truly own end user data, a middle ware solution can be introduced to create an aggregated data source.

The Enterprise Mobility Services(EMS) is a new turnkey solution for today’s interconnected, distributed apps, offering an easy to deploy middleware server that hosts loadable custom API and data access modules. It’s based on open and standard technologies, including REST HTTP calls and JSON data formats, and provides major SQL database drivers along with an encrypted embedded and server SQL database. With its user management and authentication with user and API analytics, Enterprise Mobility Services is ideal for enabling secure access from mobile apps to Enterprise Databases. EMS is a middleware solution that is stateless, restful, scalable, and secure.

As new data is generated by a given IoT device, the EMS Server can consume the vendor RESTful API and on regular intervals to obtain a copy the newly generated protected resources. Relying on your own RESTful API layer will ensure that your Enterprise will have unfettered access to all of the protected resources within the system.

For more information on Embarcadero’s EMS Server, please check out these resources:

Read more: http://www.embarcadero.com/?cid=701G0000001Rrya
This content is made possible by a guest author, or sponsor; it is not written by and does not necessarily reflect the views of App Developer Magazine's editorial staff.

Subscribe to App Developer Magazine

Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.


  • - Exclusive content from leaders in the industry
  • - Q&A articles from industry leaders
  • - Tips and tricks from the most successful developers weekly
  • - Monthly issues, including all 90+ back-issues since 2012
  • - Event discounts and early-bird signups
  • - Gain insight from top achievers in the app store
  • - Learn what tools to use, what SDK's to use, and more

    Subscribe here