-
Notifications
You must be signed in to change notification settings - Fork 18
[IDEMPOTENCY] Restore section about stale success responses. #78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
rofrankel
wants to merge
11
commits into
main
Choose a base branch
from
idempotency-stale-success-responses
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
59db6d1
Adopt AEP-155: Idempotency
rofrankel 79cdf96
Address Yusuke's comments.
rofrankel 1aff7c1
Update aep/general/0155/aep.md
rofrankel bf854ce
lint
rofrankel f4573c2
Qualify proto-specific guidance.
rofrankel 30bb416
Update to reflect new common components and live discussion.
rofrankel 2b999ad
Minor rephrasing of list.
rofrankel 567c4ab
Clarify invalid `first_sent`.
rofrankel a146045
Remove section about stale success responses.
rofrankel df4fc37
[IDEMPOTENCY] Restore section about stale success responses.
rofrankel a77ed06
Update aep/general/0155/aep.md
rofrankel File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,154 @@ | ||
| # Idempotency | ||
|
|
||
| It is sometimes useful for an API to have a unique, customer-provided | ||
| identifier for particular requests. This can be useful for several purposes, | ||
| such as: | ||
|
|
||
| - De-duplicating requests from parallel processes | ||
| - Ensuring the safety of retries | ||
| - Auditing | ||
|
|
||
| The purpose of idempotency keys is to provide idempotency guarantees: allowing | ||
| the same request to be issued more than once without subsequent calls having | ||
| any effect. In the event of a network failure, the client can retry the | ||
| request, and the server can detect duplication and ensure that the request is | ||
| only processed once. | ||
|
|
||
| ## Guidance | ||
|
|
||
| APIs **may** add a `aep.api.IdempotencyKey idempotency_key` parameter to | ||
| request messages (including those of standard methods) in order to uniquely | ||
| identify particular requests. API servers **must not** execute requests with | ||
| the same `idempotency_key` more than once. | ||
|
|
||
| ```proto | ||
| message CreateBookRequest { | ||
| // The parent resource where this book will be created. | ||
| // Format: publishers/{publisher} | ||
| string parent = 1 [ | ||
| (google.api.field_behavior) = REQUIRED, | ||
| (google.api.resource_reference) = { | ||
| child_type: "library.example.com/Book" | ||
| }]; | ||
|
|
||
| // The book to create. | ||
| Book book = 2 [(google.api.field_behavior) = REQUIRED]; | ||
|
|
||
| // This request is only idempotent if `idempotency_key` is provided. | ||
| // | ||
| // This key will be honored for at least one hour after the first time it is | ||
| // seen by the server. | ||
| // | ||
| // The key is restricted to 36 ASCII characters. A random UUID is recommended. | ||
| aep.api.IdempotencyKey idempotency_key = 3 [ | ||
| (aep.api.field_info).minimum_lifetime = { seconds: 3600 } | ||
| ]; | ||
| } | ||
| ``` | ||
|
|
||
| - [`aep.api.IdempotencyKey`][] has a `key` and a `first_sent` timestamp. | ||
|
|
||
| - `key` is simply a unique identifier. | ||
|
|
||
| - Providing an idempotency key **must** guarantee idempotency. | ||
|
|
||
| - If a duplicate request is detected, the server **must** return one of: | ||
|
|
||
| - A response equivalent to the response for the previously successful | ||
| request, because the client most likely did not receive the previous | ||
| response. | ||
| - An error indicating that the `first_sent` field of the idempotency key is | ||
| invalid or cannot be honored (expired, in the future, or differs from a | ||
| previous `first_sent` value with the same `key`). | ||
| - An error, if returning an equivalent response is not possible. | ||
|
|
||
| For example, if a resource was created, then deleted, and then a | ||
| duplicate request to create the resource is received, the server **may** | ||
| return an error if returning the previously created resource is not | ||
| possible. | ||
|
|
||
| - APIs **should** honor idempotency keys for at least an hour. | ||
| - When using protocol buffers, idempotency keys that are UUIDs **must** be | ||
| annotated with a minimum lifetime using the extension | ||
| [`(aep.api.field_info).minimum_lifetime`][]. | ||
|
|
||
| - The `idempotency_key` field **must** be provided on the request message to | ||
| which it applies (and it **must not** be a field on resources themselves). | ||
|
|
||
| - The `first_sent` field can be used by API servers to determine if a key is | ||
| expired. API servers **must** reject requests with expired keys, and | ||
| **must** reject requests with keys that are in the future. When feasible, | ||
| API servers **should** reject requests that use the same `key` but have a | ||
| different `first_sent` timestamp. | ||
| - The `key` field **must** be able to be a UUID, and **may** allow UUIDs to | ||
| be the only valid format. The format restrictions for idempotency keys | ||
| **must** be documented. | ||
|
|
||
| - Idempotency keys **should** be optional. | ||
|
|
||
| ### Stale success responses | ||
|
|
||
| In some unusual situations, it may not be possible to return an identical | ||
| success response. For example, a duplicate request to create a resource may | ||
| arrive after the resource has not only been created, but subsequently updated; | ||
| because the service has no other need to retain the historical data, it is no | ||
| longer feasible to return an identical success response. | ||
|
|
||
| In this situation, the method **may** return the current state of the resource | ||
| instead. In other words, it is permissible to substitute the historical success | ||
| response with a similar response that reflects more current data. | ||
|
|
||
| ## Further reading | ||
|
|
||
| - For which codes to retry, see [AEP-194](https://aep.dev/194). | ||
| - For how to retry errors in client libraries, see | ||
| [AEP-4221](https://aep.dev/4221). | ||
|
|
||
| ## Rationale | ||
|
|
||
| ### Naming the field `idempotency_key` | ||
|
|
||
| The original content from which this AEP is derived defines a `request_id` | ||
| field; we define `idempotency_key` instead for two reasons: | ||
|
|
||
| 1. There is an [active Internet-Draft][idempotency-key-draft] to standardize an | ||
| HTTP header named `Idempotency-Key`. | ||
| 1. There may be edge cases in which separately identifying idempotent requests | ||
| is useful; `request_id` would be more appropriate for such use cases. For | ||
| example, an API producer might be testing the idempotency behavior of the | ||
| API server, and might want to issue multiple requests with the same | ||
| `idempotency_key` and trace the behavior of each request separately. | ||
|
|
||
| <!-- prettier-ignore-start --> | ||
| [idempotency-key-draft]: https://datatracker.ietf.org/doc/draft-ietf-httpapi-idempotency-key-header/ | ||
| [`aep.api.IdempotencyKey`]: https://buf.build/aep/api/file/main:aep/api/idempotency_key.proto#L21 | ||
| [`(aep.api.field_info).minimum_lifetime`]: https://buf.build/aep/api/file/main:aep/api/field_info.proto#L35 | ||
| <!-- prettier-ignore-end --> | ||
|
|
||
| ### Using UUIDs for request identification | ||
|
|
||
| When a value is required to be unique, leaving the format open-ended can lead | ||
| to API consumers incorrectly providing a duplicate identifier. As such, | ||
| standardizing on a universally unique identifier drastically reduces the chance | ||
| for collisions when done correctly. | ||
|
|
||
| ## Changelog | ||
|
|
||
| - **2023-12-20**: Adopt AEP from from Google's AIP with the following changes: | ||
| - Rename field from `request_id` to `idempotency_key` (plus some minor | ||
| releated rewording). | ||
| - Add a common component [`aep.api.IdempotencyKey`][] and use this rather | ||
| than `string` for the `idempotency_key` field; add related guidance about | ||
| `IdempotencyKey.first_seen`. | ||
| - Remove guidance about annotating `idempotency_key` with | ||
| `(google.api.field_info).format`. | ||
| - Add guidance about annotating `idempotency_key` with | ||
| [`(aep.api.field_info).minimum_lifetime`]. | ||
| - Update guidance about responses to be more explicit about success and error | ||
| cases, while allowing "equivalent" rather than identical responses for | ||
| subsequent requests. | ||
| - Temporarily removed the section about stale success responses, pending | ||
| further discussion. | ||
| - **2023-10-02**: Add UUID format extension guidance. | ||
| - **2019-08-01**: Changed the examples from "shelves" to "publishers", to | ||
| present a better example of resource ownership. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| --- | ||
| id: 155 | ||
| state: approved | ||
| slug: idempotency | ||
| created: 2019-05-06 | ||
| placement: | ||
| category: requests | ||
| order: 60 |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copying from #77 (comment) :
This behavior seems problematic, because such a response does not actually correlate with the request! What if the resource has subsequently been deleted, or made inaccessible? And even if the common case, how is a client to detect that they have received such a response?
Rather than silently replacing the no longer available appropriate response, I think it would be best to communicate that information. In HTTP terms, it would presumably be a 303 See Other response with a Location field identifying the URL to use for getting current state. And having provided that signal, it would then be possible as an optimization to also include that representation along with a Content-Location field, e.g.