OCLC Developer Network

News

Syndicate content

xID new features

We added a few new features to xID service: - xISSN now supports ISSN-L and RSSURL field, such as http://xissn.worldcat.org/webservices/xid/issn/1095-9203?method=getMetadata&fl=issnl,rssurl ISSN-L data is obtained from ISSN agency, and rssurl is obtained from ticTOCS. xISSN also adds values to both data set, for example, xISSN automatically adds RSSURL to all ISSNs in same group. - xOCLCNUM now supports OCLC workid, such as: http://xisbn.worldcat.org/webservices/xid/oclcnum/55847258?fl=owi And you can query by workid as well: http://xisbn.worldcat.org/webservices/xid/owi/owi718389 I highly recommend using "owi[0-9]" in its whole format when you came upon workid, this will be very helpful for identifying workid from any web pages and facilitates interoperability and mashup. For more information, please check xISSN and xOCLCNUM API.
Submitted by lxming on Thu, 06/11/2009 - 3:30pm
in

"Good APIs" JISC study released: on making companionable forms

Marieke Guy of JISC (UK) has released the long-anticipated "Good APIs" study, in two parts:
  • Report 1: JISC Good APIs Management Report: "a background to API use in the UK HE [Higher Education] sector, the potential benefits of the provision of APIs and the challenges this provision can instigate. The report also reviews potential problems developers can face when using third-party APIs."
  • Report 2: API Good Practice: "provides a number of good practice techniques for provision of and consuming APIs. The content of this report is based primarily on feedback provided from the developer community."
What came through strongly for me in this report was ease of use:
"make sure that there is a low barrier to access. The maximum entry requirements should be a login (username and password) which then emails out a link.

"If you need to use a Web API key make it straightforward to use. You should avoid the bottle neck of user authorisation, an overly complex or non-standard authentication process. One option is publish a key that anyone can use to make test API calls so that people can get started straight away. Another is to provide a copy of the service for developers to use that is separate from your production service. You could provide a developer account, developers will need to test your API so try to be amenable."

On the down side, I think the framing/title, "Good APIs", leads to a conceptual confusion between the notions of "API" vs. "Web Service". In some places, the JISC discussion is about the Service -- for example, finding out what users need first. In other places, the report recommendations are clearly about APIs specifically, for example when they talk about method naming conventions. I would argue that, to speak clearly about this domain, one needs to distinguish between these two concepts, and use the terms deliberately. So, a Web Service is a Web-based application oriented towards machine transactions. On the other hand, an API, or Application Programming Interface (not "Program" Interface), is a well-defined method for accessing a Service. (the machine-usability characteristic of APIs is mainly a consequence of this well-definedness). As an analogy, Web Services are like local or long-distance phone service, whereas the API is like a phone jack. A Service can have many APIs, like the various ways one might connect to long-distance phone service. Also, the mere existence of an API does not necessarily mean that the service behind it does something worthwhile, or does it with sufficient quality or reliability to meet your needs. A real, production-quality Service includes not only API(s) but documentation, a service-level agreement, performance benchmarks, and support. Finally, it's worth noting that a Web Service, in the general sense, might be delivered to users via means we wouldn't call APIs: for example, by depositing an updated Linked Data set to a public data repository. The problems with using "API" to mean Web Service include the following, in my opinion:
  1. it confuses the wrapper for the package;
  2. it tends to a view of Web Services as just simple data services, request-in and data-out -- which is only one type of WS, and often the least valuable.
  3. It focuses attention on implementation detail, rather than the user- or business value of the actual service.
  4. It hides the fact that a useful service might well, over time, have a number of different APIs implemented for it, as different usages, protocols, and environments emerge.
  5. it tends to make people think of Web Services as just a matter of "exposing" some data or functions from an existing application.
Also, speaking of APIs separates us from the dominant technical and standards discussions, and rigorous term definitions, which center around the W3C and its Web Services program

I know, it might seem to be quibbling, to focus on terms. However, I've seen over and over that major issues are often decided in the choice of framing and vocabulary, rather than in the "actual" discussion that follows.

In any case, check out Marike's well-done and nicely consultative report, and learn more about how to make Web Services be, in Coleridge's famous phrase, "companionable forms."

Submitted by admin on Tue, 06/09/2009 - 11:27am
in

The Cult of Done

Developers Bre Pettis and Kio Stark have rocketed to Web fame recently with their "Cult of Done" manifesto: 13 rules for fast building, learning, finishing, and getting onto the next do. The manifesto, as author and work-life pundit Daniel Pink remarked, "has been flying around the productivity geek crowd on the web". (yes, there is such a crowd: see also Lifehacker.com, read Getting Things Done (WorldCat, Amazon). Below is the manifesto, but do check out also the very cool poster accompanying it.
  1. There are three states of being. Not knowing, action and completion.
  2. Accept that everything is a draft. It helps to get it done.
  3. There is no editing stage.
  4. Pretending you know what you're doing is almost the same as knowing what you are doing, so just accept that you know what you're doing even if you don't and do it.
  5. Banish procrastination. If you wait more than a week to get an idea done, abandon it.
  6. The point of being done is not to finish but to get other things done.
  7. Once you're done you can throw it away.
  8. Laugh at perfection. It's boring and keeps you from being done.
  9. People without dirty hands are wrong. Doing something makes you right.
  10. Failure counts as done. So do mistakes.
  11. Destruction is a variant of done.
  12. If you have an idea and publish it on the internet, that counts as a ghost of done.
  13. Done is the engine of more.
Submitted by admin on Wed, 06/03/2009 - 3:32am
in

A Web Services Taxonomy: not all about the data

[full version of article A Web Services Taxonomy (PDF 84k)] A Web Service, according to a standard definition, is "a software system designed to support interoperable machine-to-machine interaction over a network." 1 To put it another way, a Web Service is some useful service offered (usually) on the Internet, designed as a sort of building block you can use any way you want. So, for example, Google Maps, a free service that dynamically draws maps of any location and locates addresses, has been used by thousands of people to build new services such as crime-report maps and real-estate listing tools, Another way to wrap your mind around Web Services is to consider a range of well-known ones and what they do. That's what the chart below does, with services such as Paypal, Google, Twitter, and Sabre, the airline-reservations system. (click on chart to see full-size): Web-Services-Taxonomy-chart_2 This chart represents a taxonomy, or classification, of Web Services, constructed by characterizing all services according to two factors:
  1. Data quality: from simple/commodity to complex/unique
  2. Transaction level: from basic lookup to real-world transaction.
The full version of this article, A Web Services Taxonomy (PDF 84k), defines what is meant by those terms, and discuss representative examples of Services that exhibit varying degrees of these characteristics. Based on this, I suggest that the Services with the most usage, customer value, and/or revenues typically have more complex/unique data, and/or are more transactional. See also the above chart in full size, or the full article (PDF 84k).
Submitted by admin on Fri, 05/29/2009 - 4:23am
in

WorldCat Mashathon a huge success

Amsterdam Mashathon PhotoThanks to everyone who participated in the Mashathon and followed us on tweets.

Submitted by alicesneary on Fri, 05/22/2009 - 9:15am
in

WorldCat Mashathon starts tomorrow

Amsterdam Mashathon LocationWe're getting ready for the WorldCat Mashathon today. Yesterday I was traveling, and then Ralph M. from the Leiden office and I started in on the details.

Submitted by alicesneary on Tue, 05/12/2009 - 11:47am
in

Come Mash with us in Amsterdam

We are pleased to announce the WorldCat Mashathon registration for Amsterdam is now open. Here is the *official* announcement: Join fellow coders for the WorldCat Mashathon in Amsterdam, May 13-14. Sponsored by the OCLC Developer Network and International Institute of Social History (IISH), the two-day event will be held Wednesday and Thursday at IISH headquarters in Amsterdam. The European Mashathon follows on the heels of a previous WorldCat Hackathon in New York City. Participants will spend the two days brainstorming and coding mash-ups with local systems, OCLC Web Services, and many other Web Services to embellish existing, and create new, library services. WorldCat includes national catalogues from the Netherlands, the UK, Ireland, Iceland, Germany, Sweden, Finland, Denmark, France, Spain, Switzerland, Czech Republic, Lithuania, Russia and many more--so there are plenty of potential uses and apps just waiting to happen. Why attend the WorldCat Mashathon?
Submitted by alicesneary on Wed, 04/08/2009 - 6:19pm
in

Introduction to Information Cards

Information Cards introduce a new paradigm in on-line authentication that replaces conventional Username and Password login. The new paradigm is based on the very familiar 'real world' experience of presenting credentials. When I want to purchase something and I don't have cash; I present a credit card. When I want to rent a car I pull out my driver's license and when I want to borrow a book from the library I pull out my library card. Despite the number of cards I may have in my wallet; 3 credit, 1 debit, healthcare, dental care, library, 3 museum memberships, 2 frequent flyer, etc... It is very easy and intuitive for me to select the right card at the right time. The mechanics of trust that 'real life' cards represent is also interesting. When I present my driver's license, the 'claims' on the card; age, address, etc... are packaged in such a way that the person looking at the card can establish 'trust'. They can compare the picture on the card to my face. They can compare the age represented on the card to their view of how old I am; they can compare the eye-color listed to my eyes. Finally, they can identify the state that issued the card. The trust mechanics dictate that: The card does not appear to have been tampered with. The photo to face matching indicates that this card was issued to this person by the State of California. I trust the State of California I can therefore trust the claims on this card. The interesting thing to note is that there is no need for trust to be established between the person presenting the card and the person accepting the card. The person accepting the card only has to trust the State that issued the card; even though the state isn't present, or in any way involved in the transaction. This is similar with credit card processing; a shop keeper doesn't trust you to give them money 'later' ("I'll gladly pay you Tuesday for a hamburger today"), but they do trust Visa, the issuer of the card. Information Cards bring this paradigm and these mechanics to our online experience. When you login to a web site with Information Cards (I-Cards) you are asked to select an I-Card from your virtual wallet. The analogy isn't perfect so the wallet, otherwise known as; The Card Selector, has some smarts to make things easier. The Card Selector, which is a piece of 'secure' software running on your machine, remembers places that you have logged in before. Each time you start to log into a site that you haven't logged into before, you get an informational dialog that tells you about the site you are logging into. This largely eliminates concerns about 'phishing' attacks, scams where a site pretends to be a site it's not to get your username and password. Even if a site manages to fool you into logging in with an I-Card ; they don't get something they can use somewhere else. When you click on the 'login' link, the site you are trying to log into tells your computer what it wants to know about you. If you are trying to leave a blog comment that might just be a nickname, if you are trying to purchase beer it might be a claim that you are over 18 years of age. When the wallet opens, only those cards that are capable of satisfying the sites 'policy' (what the site wants to know) are selectable. This interaction means that the user doesn't have to go through and select from ALL their cards every time they login, the choice comes down to selecting from one or two for any given context; Visa or American Express? If you want to play with Information Cards the best place to start would be http://www.azigo.com/icards.html this site is provided by Parity Inc.; THE leaders in implementing this technology. If you click through the Equifax Card sign-up process you will have the Card Selector installed and get your first i-Card, one that can 'prove' you are over 18 (if you are) without exposing any other information about you. The Minuteman Library Network is the first Library Card i-Card project and probably of special interest to the readers of this blog; I am working on this project and will keep you informed of its progress.
Submitted by admin on Wed, 03/11/2009 - 10:40am
in

OCLC at Code4Lib

Most of my fellow OCLC Developer Network staffers are still at Code4Lib soaking up all the great ideas, making technology intersections and creating new possibilities for library development projects.

Submitted by alicesneary on Thu, 02/26/2009 - 12:29pm
in

What is SSO?

One of the hottest issues in Identity Management is often referred to as SSO; Single Sign-On. However it is a horribly misunderstood and misused term. I will try to give a brief overview of what SSO is and isn't. What most people mean when they say SSO is the user experience of accessing multiple services and systems but only having to 'log-in' once. On the face of it SSO sounds great but there are some pitfalls that we have to be wary of. If we aren't very careful, the 'ease' of SSO is bought at the cost of privacy. The type of SSO that I am going to explore is the "HTTP Redirect" SSO mechanisms that are widely deployed for SSO on the web. This includes OpenID, Shibboleth (Web SSO), SAML (WebSSO), FaceBook, Yahoo! and Google, to name a few. These protocols differ in many details and have different strengths and weaknesses but they all share the same underlying HTTP Redirect mechanism. The basic pattern is this: 1. Jane navigates to a web-site and she wants to log-in using a username and password that support SSO. 2. Jane clicks on the 'login' button on the page. 3. Jane has to tell the web-site who her SSO service provider is. This is known as the Where Are You From problem, otherwise known as WAYF. More about WAYF in a moment. 4. Once Jane has told the web-site who her SSO service is; a HTTP Redirect is sent to the browser to send Jane off to her SSO service. 5. At her SSO service Jane is asked to provide her UserName and Password. 6. If Jane convinces the SSO service that she is, in fact, Jane, then she is returned (via HTTP Redirect) to the original web-site with a 'token' that says "I am SSO service XYZ and I believe this is Jane" 7. The web-site and SSO service communicate in such a way that the web-site can validate that this is really SSO service XYZ talking AND if it knows and trusts service XYZ it can go ahead and accept that this is Jane. At this point we have performed 3rdParty Authentication or Federated Sign-On NOT SSO. 8. Having done what she came to do Jane now navigates to another web-site. 9. When Jane arrives at the second web-site she is NOT recognized as being logged in. This site has no knowledge who she is or that she has logged in somewhere else before. If Jane wants to access 'protected' resources at this web-site she is going to have to click on the log-in button. 10. Again Jane will be asked Where Are You From and she will select her SSO service provider. 11. The web-site will then send Jane off to her SSO provider asking... "Who is this?" 12. Because Jane logged into her SSO service just a few minutes earlier the SSO service doesn't ask Jane for a UserName and Password this time, it immediately returns back to the web-site with a 'token' that says "I am SSO service XYZ and I believe this is Jane" 13. The using the same trust validation as above the web-site can now believe that this is Jane And Jane only logged in ONCE... that is SSO. Jane still had to click on login twice and still had to provide her SSO service twice but she only Signed-On a Single time. There are variations in this flow, OpenID nicely shortcuts the double SSO service provider selection BUT you have to type in your UserName twice. The most common expectation of SSO that is not satisfied by the flow described is "why didn't the second site just 'know' that I had already logged in and who I was?" Apart from the fact that would be technically difficult the answer is actually that REALLY you wouldn't want that behavior... Once I explain why: If SSO worked that way, when you logged in once, everywhere you went on the internet would know who you are. Not just an IP address, they would be getting a message "here's Jane". All of the web-sites on the web could talk to each other and work out EXACTLY which sites you visited and which ones you didn't. That is generally considered to be a terrible breach of privacy. In order to avoid this privacy leak clicking 'login' remains an explicit action that the user must take. The action no longer means: "I want to enter my username and password" but now means "I'm OK telling this site who I am." There are ways for 'closely connected' sites to shortcut this experience. Handing a user from their Local Library System to the Consortia Meta-Search interface; a handoff that is between trusted parties; Janes identity CAN be passed from one service to the other providing the 'seamless' SSO that we would love to have. But you can't be sure that Jane was OK being identified at the second system unless you make the action explicit. As a service provider you have to make very careful choices between seamless SSO and user privacy. Rather than going on now:- You can tune in later for "SSO using Pair-Wise Identifiers to protect your privacy", "How and Why OpenID is different from Shibboleth Web SSO" , "Why you MUST trust your SSO service provider because they know a lot about you"... Please ask questions if I haven't been clear... Please let me know if you think I have said something misleading or wrong... I'm just trying to start a conversation here.
Submitted by admin on Tue, 02/10/2009 - 1:48pm
in

Follow the OCLC Developer Network:

The OCLC Developer Network supports the use of OCLC Web Services—a set of tools and APIs that expose data and services for WorldCat and our member libraries and partner institutions or companies. learn more »

© 2010 OCLC Domestic and international trademarks and/or service marks of OCLC Online Computer Library Center, Inc. and its affiliates


Powered by Drupal, an open source content management system