Securing, Monitoring and Monetizing APIs

Nuwan Dias Technical Lead

WSO2

What is a Managed API?

● Advertising APIs

● Controlled Subscriptions

● SLAs

● Securing

● Statistics and Monitoring

● Monetization

API Security

● Identity Delegation

API SecurityOAuth 2.0

● Has become the de-facto standard for API Security

● Predeceasing from the OAuth 1.0 and OAuth WRAP

● Primarily operates on an Access Token

● Introduces Grant Types and Token Types

● Common Terminology Used ○ User ○ Client ○ Resource Server ○ Authorization Server

Using Access Tokens

OAuth 2.0 Grant Types

● A grant type defines how a client obtains an access token

● OAuth 2.0 specification defines 4 major grant types ○ Authorization Code ○ Implicit ○ Resource Owner Password Credentials ○ Client Credentials

● Other popular grant types ○ JWT-Bearer ○ SAML 2.0 Bearer Assertion

● The WSO2 API Management and Identity Platforms Supports almost all these grant types out of the box and provides ability to extend and introduce custom grant types as well!

Fine Grained Authorization through OAuth Scopes● A scope defines a particular action performed by a Resource.

● A scope can be restricted to a particular user role

Fine Grained Authorization through OAuth Scopes● Protecting a Resource through a Scope

Fine Grained Authorization through XACML● XACML - eXtensible Access Control Markup Language

● WSO2 Identity Server’s support for XACML can be utilized as a means of protecting Resources at a finer grained level

Authorization through Identity Federation● Perform Authentication through external IDPs

Integrating with an external OAuth Server● The WSO2 API Management platform offers the capability of

integrating with an external OAuth server and operating on access tokens/keys offered by the external server.

{JWT}

• JSON Web Token is compact URL-Safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).

{

"alg": "RS256",

"typ": "JWT"

}

{

"sub": "1234567890",

"name": "John Doe",

"admin": true

}

RSASHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), …

Advanced API Security by Prabath Siriwardena

Monitoring Your APIs

Monitoring and Statistics

Operational

• Scaling Up Systems • Upgrading System Resources

Business

• For expanding your business and API Ecosystem

Operational Insights - Why they Matter• Production Systems don’t just operate on a single VM

• Operational conditions change over time

• Performance Implications - How to find out Why?

• Avoid applying the wrong fix

Message Tracing using WSO2 DAS and CEP• Find out what happened to your message

Using WSO2 CEP for Real Time Analytics• Identify Access Patterns and propose new Business Models

• Threat Identification

• Trigger Alerts/Notifications on failures and risks.

• Performance monitoring of Servers

• Monitor Response Times

Parties Involved in an API Eco System

Interests of Parties in the API Eco SystemBusiness Owners

• Goals - Increase Sales, Retain Existing Customers, New Business Strategies

• Needs - Commonly Moving Items, Customer Trends, Possible Store Locations

API Creators

• Goals - Design Better APIs, Increase API Usage • Needs - Call Frequency, Response Times, Access Patterns

Application Developers

• Goals - More App Downloads, Better User Experience, Higher Availability • Needs - Call Count, Device Types, Access Locations

The Analytics platform should cater to needs of all interested parties!

Batch Analytics using WSO2 DAS

Some stats offered by default

General API/Resource Usage

API Response Times

API Usage by User

API Usage by Application(s)

Top Users per Application

Faults by API

Stats based on API endpoint

……

Integration with Google AnalyticsIdentify Geographical Usage

Integration with Google AnalyticsIdentify Usage by Device

Benefits of Stats offered by Google Analytics• Application Developers

• Find out on which platforms APIs are used most - Improve those UX on

those platforms

• Identify languages to be supported based on geographical usage

• API Developers

• Prioritise development/testing for platforms on which the API is used most

• Determine languages to be supported by the API.

• Business Owners

• Determine where best to open up a new Store

• Introduce regional varieties.

API Monetization

• Relevance of APIs today are expanding beyond the IT department. Why?

• Consumer demand for seamless experience is driving the need for unprecedented integration.

• Only few direct Monetization strategies actually work. Ex: Amazon.

• Enterprises today are “Data Rich”. APIs can help unleash the power of enterprise data in support of a digital strategy.

• The inability to monetize APIs directly is not necessarily a lack of revenue opportunity.

Exposing Data as APIs• WSO2 offers the perfect platform for aggregating, organising

and exposing your enterprise data for consumption by third parties.

Thank You