Re: RFC 9205 - REST API versioning considered harmful.
Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 14 March 2024 17:29 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF579C151098 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 Mar 2024 10:29:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.856
X-Spam-Level:
X-Spam-Status: No, score=-7.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="Ut6Dc5Lm"; dkim=pass (2048-bit key) header.d=w3.org header.b="naKnmA+y"; dkim=pass (2048-bit key) header.d=gmail.com header.b="lzFwpJyz"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cfAiFpU7hX0d for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 Mar 2024 10:29:42 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C007CC151096 for <httpbisa-archive-bis2Juki@ietf.org>; Thu, 14 Mar 2024 10:29:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:In-Reply-To:From:References:To:MIME-Version:Date :Message-ID:Cc:Reply-To; bh=QH7qR4XnZX6glfdk99w42EhKYeu31yYCVLKdKoAbTK8=; b=U t6Dc5Lm8zc0BLIONrCVzFJjOgKOvrS3XaNQGtIttSV68vQ3dOqh371Ez3NVGS1I8voH1O5s2Xoq86 30s30fJ+W3F8mJcsqmPWoyCDbVu8FLm+20ZSv2nRmLZ8RN33lvUIn0z6hfQrFe7XBXrz8UJLU0oRj 9j+JyAc3O5p/VBz5RP+pSGNjBPlPttbYC2uzu6GbdLF/ZN2+HGXeEw3zLO7R6iXKErORQojqGAx2/ jaGnqkzNQ3yIVM8XeGN3wbd/0JstnNfwXGDgnZ2uGE4ZxNBcrc7ZevynxxOf78l50QO4+WcNou0m0 PGELcSBp4WQ6XCdFMraJ5PWGuyVzQhRNA==;
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1rkorW-008UBP-98 for ietf-http-wg-dist@listhub.w3.org; Thu, 14 Mar 2024 17:27:26 +0000
Resent-Date: Thu, 14 Mar 2024 17:27:26 +0000
Resent-Message-Id: <E1rkorW-008UBP-98@lyra.w3.org>
Received: from pan.w3.org ([3.222.182.102]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <anders.rundgren.net@gmail.com>) id 1rkorT-008U9W-Qh for ietf-http-wg@listhub.w3.org; Thu, 14 Mar 2024 17:27:23 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:In-Reply-To:From:References:To:Subject:MIME-Version:Date :Message-ID:Cc:Reply-To; bh=QH7qR4XnZX6glfdk99w42EhKYeu31yYCVLKdKoAbTK8=; t=1710437243; x=1711301243; b=naKnmA+yilZTvIDBaLflvp+qN+yweoWVQDJpXZyPZlyFXNo cggfKspvvPkNHUgro+BQK53o3fxDcy2pPzXt0yyLdxCOiAQkEpTrmRvsQdhUl5+rGVWhz6gRYEX8x AThgP1r5gN4JhYd++W65yUCge738NypHEy/3MW0TyD0eTxrJX7nWa7F9wkYyU/EGaQdv2GP8msOLo IzNP9fg1OEGzEjBl1cweAsJTzYHmkdFAterLFY0csfHOcruaLQR8H6q0urk1JZG1b6BZflpn9gJOn FqLuU15cYmvHIv126gQOtOW9Yt1wgMESLDBgbsD9Jf/ysPsZwoqRaP7AtVi+d8dw==;
Received-SPF: pass (pan.w3.org: domain of gmail.com designates 2a00:1450:4864:20::131 as permitted sender) client-ip=2a00:1450:4864:20::131; envelope-from=anders.rundgren.net@gmail.com; helo=mail-lf1-x131.google.com;
Received: from mail-lf1-x131.google.com ([2a00:1450:4864:20::131]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <anders.rundgren.net@gmail.com>) id 1rkorT-00BK4o-01 for ietf-http-wg@w3.org; Thu, 14 Mar 2024 17:27:23 +0000
Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-513d717269fso125236e87.0 for <ietf-http-wg@w3.org>; Thu, 14 Mar 2024 10:27:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710437239; x=1711042039; darn=w3.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=QH7qR4XnZX6glfdk99w42EhKYeu31yYCVLKdKoAbTK8=; b=lzFwpJyz4iQQHDXpU+GRmaVrtyrHYV5zEakSQt9jTcqKeSHCsCQeQFAQDJqj2uVbdg 6t80rQ43KrP6g6akylKTODXKBSnGf+xnCZR0HFt6jYA7PaaSx+SFyg3YIuecrwJtCucY rgAxTXUjTWBts5hbQ1iJ6m6Hh0bkmtXyt6Hz8Nlb647dlbc3xaXakthtT4a7HtODRgp6 cey2y56hqmCKr0mJLNwv/gdj0s+zV8qZro6dDy4N+ZX1/x0W2FAfdAiNXhSOCQSUxtgh zLfOhs1NJWF0VYOOEWdgzwaglnQ875nYwl51ol9H4yeV874WecJhvdIf1vIQjgFUiphi XtYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710437239; x=1711042039; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QH7qR4XnZX6glfdk99w42EhKYeu31yYCVLKdKoAbTK8=; b=lZYoHuyxdbvKIhG5lfwBzKaQ2DjTd/9Upirn02IYZYz/soXo5PIPjK14Ik7xuoG/io VbXIPJ8wCjpV7e0n9yrMMtY0SpEaZPplrvO+yYURnrcKck6fOn4r0U/4QoZdVk1L8eS3 NUrjNqxgvkGsjihSkNiAuMw5Hzn84IUoj3Kntxlb8jBGiXHsnk0V+wO7ABB82x/y7T/2 siaSyb1qM27CaeEY9I4sqqnxaS7tFHcw2ZcukAy7HoiH3lli4MX+Msn7q139B3QViDSZ NrWsxzNHSOov+Bh1rJWyvk6AWh8Qc6sfyVOX/Bmf9m1XPJpyVwBHDS9FHyXzcHkY5HSh 3SSw==
X-Forwarded-Encrypted: i=1; AJvYcCUxxY6fPuCZVVUOFq+OmJQYf9RQrOEtduVUDT8C9s1ont7dvbrI7ptVLhqaMziT1fNSeFTD2oV6fhWBez70h0rQMKGt
X-Gm-Message-State: AOJu0YzP59S/eUAykzFcoEK3NIkIYqZNDYYgdbP9mWJVa/lSW/GIQ5sJ IuqvXROVyQEaCEAX8w4W2wz/5ts4zKjzS+zvGj1YcgyB0HU4UaBWjqp6SpV3
X-Google-Smtp-Source: AGHT+IG78fmQ+uJdbWa0XVLoUKZSUOtIV3bTDGGylf44RNllc/XTCYfyE1QuNuSw8V8lZOhJejn66Q==
X-Received: by 2002:ac2:5229:0:b0:513:ad46:dc7d with SMTP id i9-20020ac25229000000b00513ad46dc7dmr575700lfl.61.1710437238510; Thu, 14 Mar 2024 10:27:18 -0700 (PDT)
Received: from ?IPV6:2a01:e0a:e1b:64b0:91d9:9ef:8d09:164a? ([2a01:e0a:e1b:64b0:91d9:9ef:8d09:164a]) by smtp.googlemail.com with ESMTPSA id z14-20020a05600c0a0e00b00413ebce316fsm3066647wmp.0.2024.03.14.10.27.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 Mar 2024 10:27:18 -0700 (PDT)
Message-ID: <a7243abe-8772-4dd3-90d9-ed9b6ba9dd30@gmail.com>
Date: Thu, 14 Mar 2024 18:27:17 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Eric J Bowman <mellowmutt@zoho.com>, Ietf Http Wg <ietf-http-wg@w3.org>
References: <18e36912a9a.107313d6f235.3971853298110295147@zoho.com>
Content-Language: en-US
From: Anders Rundgren <anders.rundgren.net@gmail.com>
In-Reply-To: <18e36912a9a.107313d6f235.3971853298110295147@zoho.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-W3C-Hub-DKIM-Status: validation passed: (address=anders.rundgren.net@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1rkorT-00BK4o-01 7b8d846df40e261d06b615f3d3d0f26f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: RFC 9205 - REST API versioning considered harmful.
Archived-At: <https://www.w3.org/mid/a7243abe-8772-4dd3-90d9-ed9b6ba9dd30@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51880
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Eric, Thank you for making me aware of RFC 9205! Alternative to REST API versioning: https://www.rfc-editor.org/rfc/rfc9205.html#name-discovering-an-applications I come to the same conclusion for a next generation of Open Banking: https://cyberphone.github.io/doc/research/casting-apis-in-stone.pdf PoC implementation: https://test.webpki.org/saturn-payerbank/authority Cheers, Anders On 2024-03-13 7:47, Eric J Bowman wrote: > Best practices means putting this in a positive light. I recently searched YouTube for "REST API versioning" and got a plethora of videos to choose from, all along the lines of how to pass a job interview to be a REST API developer. Point #1 is REST = CRUD, I'll tilt at that windmill some other day. Point #2 is REST APIs MUST be versioned. So I commented and got some creator feedback, which I'll anonymously re-use here. > > Honestly, I'm more geared towards writing a worst-practices document. I'm not ready to publish my actual text for RFC 9205, just soliciting feedback. Maybe we can address a couple of common arguments in favor of versioning, starting with the easy one: management decided /cart should be /carts, so we had to change our URI allocation scheme from .../v1/... to .../v2/... to reflect this change? > > Sigh. HTTP has a concept of redirection. On to a specific example of the "our data format changed" reasoning, this: > > payment mode: net banking > Bank name: Bank of America > > was changed to this: > > payment mode: NB > Bank name: BOA > > Sigh. HTTP is an application protocol with some wonderful features many developers miss out on. Say you're changing your API to deprecate some URIs, introduce others, and change from application/xml to application/json. Do you need to change your URI allocation scheme? No. The above change is not at the conceptual layer of resource definition, mapped to URIs. > > Deprecated URIs can redirect, or only Accept: application/xml. New URIs could only Accept: application/json. URIs carried over between versions can Accept: application/json, application/xml in that order, with the latter dropped at some future point in time. This allows for incremental change on the client and server sides, and if your resources are defined correctly, you don't need to version your URI allocation scheme. It probably has enough aliases to deal with anyway. > > In my case, any file or handle under /var/www may be accessed by one or more protocols including http, ftp, bittorrent, imap, and ya gotta love the kids bringing back gopher... There's already an aliasing issue beyond this, inherent to HTTP as used in the real world... it's been over 20 years since I've included 'www' in a URI, those aliases redirect because there's no 'www' subdomain in my DNS. But, in terms of sysadmin tradition, /var/www it is for shared-over-the-wire resources (even if they're just handles not files), regardless of protocol. > > So why square+ your number of HTTP URIs for v2, cube+ for v3, etc.? Yikes. Whole lotta symlinking going on behind-the-scenes, but has the definition of the underlying resource changed? Expanding BOA to Bank of America is at best a change in the schema applied to a known media type, at the representation level -- not the resource level. At worst, application/vnd.api.v{x}+json. If you're versioning your URIs, you're getting REST wrong because you've failed to apply what's probably the primary constraint -- identification of resources -- from which all else follows or none of it would make any sense. > > Don't make things hard on maintainers down the road. Ever tried updating PHP code for 8? It's like porting to another language, what with all the enforced syntax changes. Don't be PHP. Do... start by identifying your resources, at the abstract level which applies on the Internet regardless of protocol. What sets HTTP apart is representations -- embrace that. > > Do... here's where I have a problem, stating best practices in a positive way which implies the aforementioned don'ts. I'm all ears for a practical reason to version APIs like that, but all I get is weak sauce even from competent coders, somehow this is "received wisdom" on REST which certainly didn't come from Roy. Can the above real-world snippet be used in RFC 9205 to illustrate the sort of change best handled by media types, schema, or Accept headers? > > I won't name names of the BigCorp that versioned their API over this syntax change. It's become accepted common practice. > > -Eric > >
- RFC 9205 - REST API versioning considered harmful. Eric J Bowman
- Re: RFC 9205 - REST API versioning considered har… Anders Rundgren