wso2con eu 2015: api management strategies and best practices
TRANSCRIPT
● An API is a business capability delivered over the Internet to internal or external consumers○ Network accessible function ○ Available using standard web protocols○ With well-defined interfaces○ Designed for access by third-parties
● A Managed API is:○ Actively advertised and subscribe-able○ Available with SLAs○ Secured, authenticated, authorized and protected○ Monitored and monetized with analytics
● API Creator - Design, Implements, Manages and Versions API
● API Publisher - Publishes, Promotes and encourages consumers to adopt APIs
● API Consumer - An Application Developer, understands the API interface definition.
Richardson Maturity Model
Read more in http://martinfowler.com/articles/richardsonMaturityModel.html
Swagger
Swagger is a simple yet powerful representation of your RESTful API.
Why do I need it ?
Securing an API
OAuth 2.0
● Has become the de-facto standard for API Security
● Primarily operates on an Access Token
● Introduces Grant Types and Token Types
● OAuth 2.0 specification defines 4 major grant types○ Authorization Code○ Implicit○ Resource Owner Password Credentials○ Client Credentials
• Recommended for web applications or native mobile applications capable of spawning a web browser
Authorization Code Grant
Access Control with Scopes• OAuth2.0 Scopes, a mechanism to control what access
tokens can do with Resources
Defining a Scope
Throttling API Usage
• Why do you need to throttle ?
• “Rate Limiting”.
• Let see how to throttle API usage with APIM. ( demo )
JWT Token
{ "typ":"JWT", "alg":"NONE" }{ "iss":"wso2.org/products/am", "exp":1345183492181, "http://wso2.org/claims/subscriber":"admin", "http://wso2.org/claims/applicationname":"app2", "http://wso2.org/claims/apicontext":"/placeFinder", "http://wso2.org/claims/version":"1.0.0", "http://wso2.org/claims/tier":"Silver", "http://wso2.org/claims/enduser":"sumedha" }
• When to use JWT Token ?
• How does it look like ?
Analytics
Operational PurposesKnow when your system is heating upKnow when to scale up/downFor Alerts/NotificationsThreat detection
Business Purposes Identify user types/categories by device (User Agent)
Identify usage by Geographical location
Know when to promote/retire your APIs
Analytics in API Manager
Back End Service
Client / Partner
Event Streams Event Streams
STAT DBAggregated Data
Statistical data retrive for display
1 2
3 3
45
Identity Federation
• Useful in scenarios where you need to authenticate users through an Identity System that’s already in place
Integration with external OAuth servers• Enterprises which already have an identity system capable
of doing OAuth might be interested in integrating the API Management platform with it.
API Facade Pattern• It is an architectural best practice to use the Facade pattern
to clearly separate out the API layer and mediation layer to facilitate better separation of concerns
Deployment FAQ ?
• How many servers do I need to achieve my performance requirement ?
• How to scale with time ?
• Securing the deployment ?
Deployment Performance Numbers.
• 1300 TPS for EC2 m1.large.
• Upcoming release AM 1.9 has shown more than 4000 TPS for a tuned setup. We will be benchmarking on EC2 after the release.
Clustering Step 2
Client / Partner
apimgtdb
Gateway
Key ManagerStore Publisher
Back End
gregdb
userdb
Integration and Automation
• We are working on a complete RESTful API for API Manager.
• Can find the swagger definition at http://hevayo.github.io/restful-apim/#/