Interoperability model for the Public Administration

API Design

Global design

General considerations on API design

Introduction to service interfaces
A service therefore consists of an activity, or a series of activities, of a more or less intangible nature, which take place in an exchange between a supplier and a customer, in which the object of the transaction is an intangible asset.
Paradigms of cooperation
Data sharing, Inter public administration notification, inter public administration composition
SOAP
REST
Message broker
Comparative considerations (REST vs SOAP vs Message broket)
Other approches (Distributed data stores, open data)
Paradigms for the design of service interfaces (RPC-like vs resource oriented)
Perimeter of service interfaces
So each application server offers service interfaces, however it is still significant to distinguish whether the service interface is offered to interoperate within the domain..., towards other administrations or other subjects with whom a relationship of trust is established ... or externally....
Technical recommendations for REST
Technical recommendations for SOAP
The european context
The European Interoperability Framework (EIF) provides guidance to European public administrations on how to operate initiatives related to the issue of interoperability;

API Lifecycle

Governance

How to ensure API governance (advertise, consistency, …)

Asynchronicity

How to handle long operations

Message broker
Non blocking profile
In the following chapter the non-blocking interaction profiles will be shown, in which a user submits a request and this is only taken in charge immediately, while its satisfaction can take place in a deferred manner.
Non-blocking RPC PUSH profiles (callback based)
This particular case, called RPC PUSH, can be used if the user in turn has the possibility to expose a service interface for receiving replies.
Non-blocking profile RPC PULL (busy waiting)
the provider provides a searchable address to verify the processing status of a request

Collection Resources

Collection

What is a collection (set) of resources

Resource collections can use plural names
Code structured data with JSON objects
the payload of a response containing more than one entry returns an object containing a list and not directly a list.

Data

Standards data

Which standard use for values like languages, countries, currencies, …

Use the properties according to standard nomenclatures

Error handling

Errors

How to handle errors

Use the Problem JSON scheme for error responses

HTTP Methods

HTTP methods

General information about HTTP methods usage

Directions for use (REST)
The REST service interface must use the HTTP verb most suitable for the operation as indicated in RFC 7231
Message broker
Although, depending on the implementations, the different REST service interfaces for accessing message brokers differ in functionality offered and ways of modeling queues, topics / subscriptions, the following behaviors of HTTP methods can be abstracted

GET

The GET method requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect.

Directions for use (REST)
The REST service interface must use the HTTP verb most suitable for the operation as indicated in RFC 7231
Message broker
the GET method is used to consume messages from queues and topics / subscriptions;
REST interface processing rules

The HEAD method asks for a response identical to that of a GET request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content.

Directions for use (REST)
The REST service interface must use the HTTP verb most suitable for the operation as indicated in RFC 7231

PATCH

The PATCH method applies partial modifications to a resource.

REST interface processing rules

PUT

The PUT method requests that the enclosed entity be stored under the supplied URI. If the URI refers to an already existing resource, it is modified; if the URI does not point to an existing resource, then the server can create the resource with that URI.

Directions for use (REST)
The REST service interface must use the HTTP verb most suitable for the operation as indicated in RFC 7231
Message broker
The PUT method is usually used to modify the properties of topic / subscriptions and queues.
REST interface processing rules

POST

The POST method requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI. The data POSTed might be, for example, an annotation for existing resources; a message for a bulletin board, newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database.

Directions for use (REST)
The REST service interface must use the HTTP verb most suitable for the operation as indicated in RFC 7231
Message broker
the POST method is used for sending messages and creating topics / subscriptions and queues;
REST interface processing rules

DELETE

The DELETE method deletes the specified resource.

Directions for use (REST)
The REST service interface must use the HTTP verb most suitable for the operation as indicated in RFC 7231
Message broker
the DELETE method is used for deleting topics / subscriptions and queues and in some cases to signal the fact that a message has been consumed.
REST interface processing rules

HTTP Protocol

Caching

How to use and provide relevant caching informations

Directions for use (REST)
Where necessary, especially for caching and concurrent access to resources, ETag (of unique version identifiers of resources) should be leveraged
By default, http caching must be disabled

Content negociation and media types

How to describe your API data format and/or propose different formats (like json, yaml, xml atom, …)

HTTP Statuses

General information about HTTP statuses usage

REST interface processing rules

HTTP Status Success

200 OK

Standard response for successful HTTP requests. The actual response will depend on the request method used. In a GET request, the response will contain an entity corresponding to the requested resource. In a POST request, the response will contain an entity describing or containing the result of the action.

REST interface processing rules

201 Created

The request has been fulfilled, resulting in the creation of a new resource.

REST interface processing rules

204 No Content

The server successfully processed the request and is not returning any content.

REST interface processing rules

HTTP Status User Error

404 Not Found

The requested resource could not be found but may be available in the future. Subsequent requests by the client are permissible.

REST interface processing rules

405 Method Not Allowed

A request method is not supported for the requested resource; for example, a GET request on a form which requires data to be presented via POST, or a PUT request on a read-only resource.

REST interface processing rules

409 Conflict

Indicates that the request could not be processed because of conflict in the request, such as an edit conflict between multiple simultaneous updates.

REST interface processing rules

415 Unsupported Media Type

The request entity has a media type which the server or resource does not support. For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.

REST interface processing rules

422 Unprocessable Entity

The request was well-formed but was unable to be followed due to semantic errors.

Use the Problem JSON scheme for error responses
HTTP status 422 if the representation of the request is syntactically correct but semantically non-processable.

Hypermedia

How to use hypermedia

REST
According to this approach, by accessing a resource, the server's response contains hyperlinks to other actions that can be performed on the resource
Use absolute URIs in the results

Miscellaneous

Documentation

How to produce and/or propose API documentation

REST
For these reasons the ModI imposes the use of OpenAPI v3. An OpenAPI file allows you to describe the entire interface (available endpoints and operations on each endpoint, input and output parameters for each operation, authentication methods, contact information, license, terms of use, etc.).

Performance and bandwidth

How to deal with high traffic or consumers with low bandwith

Optimize bandwidth usage and improve responsiveness

Naming

Case

Which case (lowercase, camelCase, …) to use and when

The properties of JSON objects must have a consistent naming
snake_case camelCase

Naming

How to name things

Resources

Resource

General informations about resources

The concept of service
We can identify the types of properties, functional property, which expresses "what" we get from service; quality of the service, referring to characteristics (for example, delivery time) that specify benefits or perceived utility associated with the service; non-functional properties, expressing "how" the service is delivered to us.
CRUD Access to Resources

Retrieve resource partially

How to retrieve partially a resource

Optimize bandwidth usage and improve responsiveness
GET /resources/123?fields=(name,partner(name))

Retrieve resource

How to retrieve a resource

REST interface processing rules

Create resource

How to create resources

REST interface processing rules

Update resource

How to update a resource

REST interface processing rules

Delete resource

How to delete resources

REST interface processing rules

Security

Security concerns

Security concepts
the section focuses on the use of security protocols and techniques based on the manipulation of network messages. The section will also refer to how the security requirements can be variable depending on the application scenario and the use case.
Security
This document describes the security profiles identified by AgID that the providers must use to satisfy the needs expressed through functional and non-functional requirements.
Channel security and / or identification of organizations
User (consumer) access
Integrity of SOAP message
This profile extends IDAS01 or IDAS02 , adding to the communication between user and provider at the message level integrity of the message payload.
Integrity of REST message
This profile extends IDAR01 or IDAR02 , adding to the communication between user and provider at the message level integrity of the message payload.
Confidentiality and user (consumer) authentication
Non repudiation of transactions
REST API safety
JOSE, JWT
SOAP service safety
The Basic Security Profile 1.1, based on the WS-Security extension, suggests the use of SAML 2.0. As mentioned, with respect to authentication and authorization technologies, there are some application domains for which OAuth2 or OpenID are more appropriate.