Modul 12 von 16 · 📖 4 min Lesezeit · ⏱ 30 min gesamt

FI-AE 12 Webentwicklung — HTTP, REST, OAuth (EN)

Inhaltsverzeichnis (6 Abschnitte)
  1. Concepts and Background
  2. Architecture Diagram
  3. Practical Steps
  4. Common Pitfalls
  5. Further Resources
  6. Knowledge Check

FI-AE 12 Web Development — HTTP, REST, OAuth

This module covers the fundamentals of web communication with a focus on the HTTP protocol, REST architecture, and modern authentication methods. You will learn to understand Request/Response cycles, design RESTful services, and ensure your applications are protected by OAuth 2.0 and OpenID Connect.

Practical application of concepts is emphasized: From implementing JWTs to building API security. Upon completion of this module, you will be able to develop robust, scalable web applications that meet modern security standards.

Concepts and Background

HTTP (Hypertext Transfer Protocol)
The standard protocol for transmitting data on the World Wide Web. Defines Request/Response methods (GET, POST, PUT, DELETE) and status codes (200 OK, 404 Not Found, 500 Internal Server Error).
REST (Representational State Transfer)
An architectural style for distributed systems that builds on the HTTP protocol. RESTful services utilize URI resources, standard methods, and stateless communication. The principles are Client-Server, Stateless, Cacheable, Uniform Interface, and Layered System.
OAuth 2.0
An authorization framework that grants clients access to user data without sharing credentials. Defines four main flows: Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials.
JWT (JSON Web Token)
A compact, URL-safe token standard for transmitting information between parties. Consists of Header, Payload, and Signature, separated by a dot. Frequently used for authentication and information exchange in OAuth 2.0.
OpenID Connect (OIDC)
An identity layer built on OAuth 2.0. Enables clients to verify a user's identity and obtain basic profile information. Builds on the OAuth 2.0 Authorization Code Flow.

Architecture Diagram

sequenceDiagram
    participant K as Client (Webpage)
    participant A as Authentication Server
    participant R as Resource Server (API)
    
    K->>A: 1. Request with Client-ID and Redirect URI
    A->>K: 2. Redirect to login page
    K->>A: 3. Login with username/password
    A->>K: 4. Authorization Code
    K->>A: 5. Token request with code
    A->>K: 6. Access Token + ID Token
    K->>R: 7. API request with Access Token
    R->>K: 8. Protected resource

Practical Steps

  1. Understand HTTP basics: Use curl to test different HTTP methods. 
    curl -X GET https://api.example.com/users
    This demonstrates a simple resource request.
  2. Design RESTful API endpoints: Structure your resources hierarchically and use HTTP methods semantically correctly. 
    POST /api/orders
{
  "customer_id": 123,
  "items": [{"product_id": 456, "quantity": 2}]
}
    Creates a new order.
  3. Implement OAuth 2.0 Authorization Code Flow: Set up a Redirect URI in your client application and implement the token exchange logic.
  4. Validate JWTs: For each incoming request, verify the token's signature and expiration time. 
    jwt.verify(token, 'your-secret-key', (err, decoded) => {
  if (err) throw new Error('Invalid Token');
  console.log(decoded);
});
    Ensures the token is authentic.
  5. Configure CORS: Enable cross-origin requests for your API by setting appropriate headers. 
    Access-Control-Allow-Origin: https://your-client-domain.com
Access-Allow-Credentials: true
    Allows secure requests from other domains.
  6. Implement API security: Protect sensitive endpoints with middleware that validates the Access Token. 
    app.use('/api/protected', authenticateToken, (req, res) => {
  res.json({ message: 'Access granted' });
});
    Ensures only authenticated users can access protected resources.

Common Pitfalls

Further Resources

Knowledge Check

Four questions for self-assessment. Click on each question to see the correct answer and explanation.

Which of the following principles is not a core principle of the REST architectural style?
  • A) Stateless
  • B) Cacheable
  • C) Stateful
  • D) Uniform Interface

Correct Answer: C. Stateful is in contrast to Stateless a principle that REST deliberately avoids to increase scalability.

What is the main difference between OAuth 2.0 and OpenID Connect?
  • A) OAuth 2.0 is for authentication, OpenID Connect for authorization
  • B) OpenID Connect builds on OAuth 2.0 and adds an identity layer
  • C) OAuth 2.0 always requires JWTs, OpenID Connect does not
  • D) OpenID Connect is only suitable for mobile applications

Correct Answer: B. OpenID Connect is an extension of OAuth 2.0 specifically developed for user authentication, while OAuth 2.0 is primarily for authorization.

Which HTTP status code indicates successful acceptance and processing of a request, but with no information returned?
  • A) 200 OK
  • B) 201 Created
  • C) 204 No Content
  • D) 304 Not Modified

Correct Answer: C. The 204 No Content status code indicates that the server successfully processed the request and is not returning any content.