I'm working on a service that forwards/unifies our API calls to external platforms/services. For example, let's say that I don't want to handle posting to Facebook, Twitter, LinkedIn and Google+ at each user-facing service. So the user-facing services calls this API forwarder with a message, somehow specify the service to post to and on behalf of which user is the request coming from.

To forward the call successfully, I need to identify:

1. the calling service, for which I use the Authorization header.
2. the service to which to forward.
3. the user who initiated the request. I shouldn't store end user external service credentials (e.g. facebook tokens) in the calling service but in the forwarding service.

I have a few options on how to pass this data, and any input would be appreciated:

1. Specifiy service and user as sub-resouces in URL

/service/{externalServiceName}/user/{userReference}/Object/{objectId}

E.g. GET /service/facebook/user/uid123/posts/post345 This feels quite verbose to me.

2. Use query parameters.

/Object/{objectId}?service={externalServiceName}&user={userReference}

E.g. POST /posts?service=facebook&user=uid123

3. Overload the Authorization header with:

Bearer: <OAuth token>, Service: <serviceName>, User: <userReference>

Resulting in nice URLs (GET /posts/). This seems totally out of spec though.

4. Use custom headers:

X-APIUnify-Service: <serviceName>
X-APIUnify-User: <userReference>```

Again, with nice, short URLs (`POST /posts/post345`).

What do you think?
Thank you!

I'm working on a service that forwards/unifies our API calls to external platforms/services.

For example, let's say that I don't want to handle all possible actions (create post, retrieve post, edit post, list posts) for Facebook, Twitter, LinkedIn, Google+ at each user-facing service. So the user-facing services calls this API forwarder with a message, somehow specify the service to post to and on behalf of which user is the request coming from.

To forward the call successfully, I need to identify:

1. the calling service, for which I use the Authorization header.

2. the service to which to forward.

3. the user who initiated the request. I shouldn't store end user external service credentials (e.g. facebook tokens) in the calling service but in the forwarding service.

I have a few options on how to pass this data, and any input would be appreciated:

1. Specifiy service and user as sub-resouces in URL

/service/{externalServiceName}/user/{userReference}/Object/{objectId}

E.g. GET /service/facebook/user/uid123/posts/post345 This feels quite verbose to me.

2. Use query parameters.

/Object/{objectId}?service={externalServiceName}&user={userReference}

E.g. POST /posts?service=facebook&user=uid123

3. Overload the Authorization header with:

Bearer: <OAuth token>, Service: <serviceName>, User: <userReference>

Resulting in nice URLs (GET /posts/). This seems totally out of spec though. Turns out specifying multiple values for a header separated by comma is in the spec.

4. Use custom headers:

X-APIUnify-Service: <serviceName>
X-APIUnify-User: <userReference>

Again, with nice, short URLs (POST /posts/post345).

5. Use a mix of custom headers and resources in URL:

GET 
Authorization: Bearer: <OAuth token>, User: <userReference>
/{externalServiceName}/Object/{objectId}

This makes sense to me because: 1. the userReference is actually a second layer of authorization anyway. 2. The service is the resource that owns the Object. I.e. the same objectId can point to different resources in different services.

6. Use JWT to pass the service and user, signed with the calling service secret.

JWT.payload = {
  "callingServiceId": "5aafcd909c9a25054c3019e3",
  "externalServiceName: "facebook",
  "userReference": "uid123",
  "iat": 1521638763
}
Authorization: Bearer: <JWT>

Thank you!