JCON2024: Java Diary of an Uber Driver

Transcript

1. Werner Keil Java Diary of an Uber Driver

2. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

   jvm.social/@enterprisebook Agenda 1. Introduction 2. Standards & Specifications 3. Uber Rides SDKs 4. Demos 5. Links & Resources 6. Q&A

3. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

   jvm.social/@enterprisebook Who am I? Werner Keil • Consultant – Coach • Creative Cosmopolitan • Open Source Evangelist • Software Architect • Author, Speaker • Maintenance Lead – JSR 354, 385 • Jakarta EE Specification Committee Member [www.linkedin.com/in/catmedia]

4. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

   jvm.social/@enterprisebook Uber Open Source Motivation • Uber has contributed to open source projects from its early days onward • Many foundations of Uber’s technology stack are based on open source projects • Some areas of contribution ̶ Machine Learning / AI ̶ Infrastructure ̶ Visualization

5. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

   jvm.social/@enterprisebook Uber Open Source Principles • Support vs. Direct • Facilitate vs. Govern • Enable vs. Block • Adapt vs. Enforce • Distributed vs. Centralized

6. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

   jvm.social/@enterprisebook Uber Open Source Selection of Projects • Apache Hundi • AresDB • AutoDispose • AVS • Base Web • Cadence • Casual ML • Deck.gl, kepler.gl, vis.gl

7. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

   jvm.social/@enterprisebook Uber Open Source Selection of Projects (2) • Fusion.js • H3 • Horovod • Jaeger Tracing • Kraken • Ludwig • M3 • Makisu

8. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

   jvm.social/@enterprisebook Uber Open Source Selection of Projects (3) • Marmaray • NullAway • Orbit • Peleton • Petastorm • Pyro • RIBs • Uber Poet

9. Standards

10. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook OAuth OAuth is a protocol to delegate rights for an application to act on behalf of a user who granted its rights without giving away their login / password Developed by Twitter, Magnolia and Google, it was made standard by IETF in April 2010 under RFC 5849 Version 2.0, simpler to use but often criticized by its too many implementations was standardized in October 2012 under RFC 6749 and 6750. It’s already used by many actors (Social Networks like Facebook, Google, Microsoft as well as most API providers ) History

11. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook OAuth Overview • An Authorization/Delegation Framework • Standardized by RFC6749 ̶ RFC 6750 using bearer tokens ̶ RFC 6819 Security considerations • On a foundation of Token standards ̶ JSON Object Signing Encryption (JOSE) ̶ JWT (RFC7519), JWS (RFC7515), JWE (RFC7516), JWA (RFC7518), JWK (RFC7517)

12. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook OAuth Concepts • Actors ̶ Resource Owner ̶ Client ̶ Resource, Resource server ̶ Authorization Server • Authorizations represented as ‘scopes’

13. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook OAuth Dance Creating an application in the OAuth service Initialization: the right granting phase also called the OAuth Dance. At the end of the dance we obtain an access token (formed by a public and secret part) for the next step Signature: each request is signed with access token and token identifying the OAuth application that was granted the rights OAuth has 3 steps

14. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook OpenID Connect (OIDC) Overview • Authentication Protocol built on OAuth2 • Session Management – Single Sign on, Out • An additional Token Type – ID Token • UserInfo, Discovery, Client Self-registration Endpoints • Specs : OpenID core, Discovery, Client Registration

15. Specifications

16. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Jakarta Security Creating Secure Applications • Standardize Terminology • API for Authentication mechanism • API for Identity Store • API for Security Context • API for Role/Permission Assignment

17. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Security – Identity Store Overview • Abstract the Identity Store used by an application • Simple configuration • Support a variety of Identity stores ̶ Lightweight k-v development stores ̶ Traditional stores – LDAP, DB ̶ Cloud-specific stores e.g. Social Logins, 3rd-party Cloud Identity providers

18. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Security – Identity Store Features • Orderable to support multiple identity stores • Abstraction to support variety of credential types like ̶ Username/Password ̶ OAuth Client ID & Secret or JWT Tokens • Consistent API regardless of container • Enables Application to determine ̶ User’s identity ̶ Identity Provider that was used to establish identity ̶ Which groups or roles the user belongs to

19. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Security – Context Definition // Security Context public interface SecurityContext{ Principal getCallerPrincipal(); <T extends Principal> Set<T> getPrincipalsByType(Class<T> pType); boolean isCallerInRole(String role); boolean hasAccessToWebResource(String resource, String... methods); AuthenticationStatus authenticate(HttpServletRequest request, HttpServletResponse response, AuthenticationParameters parameters); }

20. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Security – Context Testing for Access // Consider the following Servlet definition @WebServlet("/protectedServlet") @ServletSecurity(@HttpConstraint(rolesAllowed = "foo")) public class ProtectedServlet extends HttpServlet { ... } // And the following call to hasAccessToWebResource() securityContext.hasAccessToWebResource("/protectedServlet", GET) Returns true only if the caller is in role "foo".

21. Uber Rides SDKs

22. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Uber Rides The Uber Rides API allows you to request Uber products from your own (Enterprise) application. If you know where a user is, where they want to go, and which Uber product they want to use for their journey. The Uber Rides SDKs (for Java, Android, Python or iOS) wrap these API endpoints into a rich domain model. The Uber API sandbox provides development endpoints for testing the functionality of an application without making calls to the production environment. All requests made to the sandbox environment will be volatile and cause no cost. Overview

23. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Uber Rides Features • Reserve an upfront fare for a Ride Request • Make a Ride Request • Get a Ride Request Status • Request Details • Get a Map for a Ride Request • Cancel a Ride Request Both synchronous and asynchronous calls work due to the networking stack of the Uber SDK powered by Retrofit 2, offering the same model of threading.

24. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Uber Rides SDK Synchronous // Sync Response<UserProfile> response = service.getUserProfile().execute(); if (response.isSuccessful()) { //Success UserProfile profile = response.body(); } else { //Failure ApiError error = ErrorParser.parseError(response); }

25. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Uber Rides SDK Asynchronous // Async service.getUserProfile().enqueue(new Callback<UserProfile>() { @Override public void onResponse(Call<UserProfile> call, Response<UserProfile> response) { if (response.isSuccessful()) { //Success UserProfile profile = response.body(); } else { //Api Failure ApiError error = ErrorParser.parseError(response); } } …

26. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Uber Rides SDK Asynchronous … @Override public void onFailure(Call<UserProfile> call, Throwable t) { //Network Failure } });

27. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Uber Rides Unlike many other API providers like Google, Meta, etc. which offer a largely self-service app definition, at least in their “sandbox” environments, Uber does not offer any working scopes for your apps, until a detailed and somewhat lengthy vetting process has finished. It seems, potential API consumers have to undergo background-check much like drivers, where the safety of users justifies those measure, while it stifles the possible adoption of Uber APIs and also goes against its own open source principles, especially “Enable vs. Block”. Word of Caution

28. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Demo Time @ivar_grimstad @wernerkeil

29. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Java Enterprise Social Book I wrote a book “Enterprise Social for the Java Platform” (Apress, 2024) link.springer.com/book/10.1007/978-1-4842-9571-7 Examples on GitHub: github.com/Apress/enterprise-social-java-platform Mastodon Account: @[email protected]

30. © 2023-2024 Werner Keil. All rights reserved. #JCON2024 #EnterpriseSocial #Java

    jvm.social/@enterprisebook Resources • github.com/Apress/enterprise-social-java-platform • https://jakarta.ee/ • Uber Developers • github.com/uber/rides-java-sdk • github.com/uber/rides-android-sdk

31. Q&A

32. Thank You