Upload
kasun-indrasiri
View
966
Download
3
Embed Size (px)
Citation preview
March 2015
API, Integration, and SOA Convergence
Software ArchitectKasun Indrasiri
WSO2 Workshop - Sydney
Agenda ๏ Why APIs?
๏ API-Management
๏ Demo – WSO2 API-M
๏ SOA, ESB and Integration
๏ API and Integration convergence - API-Façade
๏ API Security
๏ Demo – API-Façade Pattern with WSO2 ESB and WSO2-API-M
2
4
Why APIs
๏ Over 75% of Twitter traffic comes from third-party applications
Source : http://www.programmableweb.com/news/twitter-reveals-75-our-traffic-api-3-billion-calls-day/2010/04/15
5
Why APIs
๏ eBay: we expect to take over $20bn through mobile in 2013
๏ eBay mobile/api traffic of over 6B is primarily handled by WSO2 ESB - http://wso2.com/library/conference/2014/10/wso2con-usa-2014-overcoming-challenges-of-moving-esb-to-the-cloud
Source : http://techcrunch.com/2013/01/16/ebay-and-paypal-expect-to-do-20-billion-each-in-2013-mobile-commerce/
6
Apps, APIs and API-Management
๏ APIs and Apps
8 8 © 2013 IBM Corporation
Apps, APIs and API Mgmt…
Business Owner IT
Developer
Consumers
New business opportunities • New markets • Increase customers • Enhance branding • Competitive advantage Extend development team •Increase innovation •Increase scale Partner/supplier alignment
Benefits
Challenges Business strategy
Infrastructure
• Security • Creation
• Scalability
Operational control • Publish • Analyze
• Monitor
Image courtesy : : http://www.edudemic.com/10-ipad-apps-english-history/ and impact2013
APIs
App Developers
App Consumers
๏ Accelerate Mobile applications development
๏ Foster Internal Reuse and Share
๏ Unleash external developers Innovation
๏ Let external developers innovate around your APIs and other APIs on the market
๏ Build new Channels and Ecosystems
๏ Create new Business Models
7
“API Economy” drivers
Source : https://appdevelopermagazine.com/1509/2014/6/1/What-You-Need-to-Know-About-APIs-to-Build-Mobile-Applications/
๏ API – a business functionality delivered over the internet
§ Standard protocols (HTTP),well defined but loose contract, network accessible, designed for access by third parties.
๏ A managed API
§ Advertised and subscribable, versioned
§ SLAs, Secured and authorized
§ Monitored and monetized
8
Understanding APIs
WSO2 API Manager
• The only complete, 100% open source API Management solution
• A cleanly integrated system which supports API publishing, lifecycle management, developer portal, access control and analytics
• Backed by High performance gateway • A single node supports more than 100 million requests/day
• eBay handles 6 billions/day, a number which nearly doubles at peak season time.
• Includes Social enablement such as ratings and comments
• Supports single-sign on with Facebook, GoogleApps, etc.
• Named a Strong Performer in this space by Forrester in 2014 • Best API Design across all vendors
• Best Solution Cost for on-premise solution
• Extremely Satisfied customers
• Available on-premise, as managed deployment and as SaaS application (beta)
9
API Management in a nutshell
10 Source : https://appdevelopermagazine.com/1509/2014/6/1/What-You-Need-to-Know-About-APIs-to-Build-Mobile-Applications/
API Ecosystem Model From SOA lessons learned, best practices roles
• API Creator • Designs, Implements, manages and versions API
• Understand business and technical requirements
• Cares about usage and scaling
• Seeks feedback, ratings, usage
• API Publisher • Publishes, Promotes and encourages consumers to adopt APIs
• Determines usage patterns and how to best monetize asset
• Monitors and secures
• API Consumer • Understands the interface definition
• Subscribes and connects application to API
• Monitors own usage and cost basis
• Provides feedback and ratings
11
๏ SOA/ESB is a Success.
§ Discrete IT solutions are modeled as services
§ Accessible over the network via rigid contracts
§ Preferred way of integrating disparate systems
§ Many organization have benefitted from employing SOA and ESB
18
Retrospect on SOA and ESB
๏ Limitations of SOA/ESB
§ Designed for internal interactions
§ Strict contracts (WSDL, XSD)
§ Complex data formats (SOAP)
§ Not designed for frequent iterations
19
Retrospect on SOA and ESB
๏ API cannot replace Integration
§ Integration of internal services, systems, data and cloud apis
๏ Cannot mangle SOA for API Management needs
๏ Using SOA and API in combination is a key success factor of a Connected Business
21
SOA and APIs : The Close Cousins
Image courtesy http://www.soa.com/images/enterprise-api-400.jpg
๏ A simple interface to a complex system
22
API Façade Pattern
Image courtesy: http://regmedia.co.uk/2012/11/06/ipad4_2.jpg, http://www.techautos.com/wp-content/uploads/2010/04/iPadMobo.jpg
๏ APIs might represent increased risk for the enterprise?
§ API exposes most of the core business functionalities to the external world.
§ Effectively increases the number of potential calls and that increases the attack surface.
๏ But API is a key success factor for a given organization
§ A well-designed API enables organizations to deliver its key business directly to their employees, clients, partners and customers.
§ API Security must be a part of the API design
§ Rather than using the conventional security technologies, API Security should be based on the dedicated security architecture. 28
Why API Security
๏ API Security is part of a larger information security problem.
๏ You need to take additional measures to protect your servers and the mobiles that run your apps in addition to the steps taken to secure your API.
๏ Your firewalls, network, cloud infrastructure, or the mobile platform may open you up to attack if you don’t also strive to make them as secure as your API.
๏ (We will only discuss on the API-Security techniques.)
29
API Security is a part of a holistic approach
๏ HTTP Basic/Digest Authentication
§ Accessing a protected API by sending a username and a password in the HTTP Authorization header, along with the API invocation request
30
API Security – Direct Authentication
๏ Mutual Authentication
§ Two way SSL/client authentication
§ Based on certificates, server authenticate to client , client to server
31
API Security – Mutual Authentication with TLS
๏ Both Direct and mutual auth. Only supports 2 parties
๏ What Happens if a 3rd party client/app wants to call APIs on behalf of you?
32
API Security – How do we handle third-parties
Need a better approach…
• Sharing clear text password of resource owners. • Third-party applications are required to store the resource owner's credentials for
future use, typically a password in clear- text.
• Servers are required to support password authentication, despite the security weaknesses created by passwords.
• Unlimited access to all the resources
• Third-party applications gain overly broad access to the resource owner's protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.
• Revoking access for a given third-party • Resource owners cannot revoke access to an individual third- party without
revoking access to all third-parties, and must do so by changing their password.
• Compromising of any third-party would compromise all systems
• Compromise of any third-party application results in compromise of the end-user's password and all of the data protected by that password.
34
๏ OAuth 2.0 in action - FB and twitter
36
API Security - Identity Delegation
Layer 7 Confidential 12
At base, OAuth lets a person delegate constrained access from one app to another
Source: July 13, 2011, “Protecting Enterprise APIs With A Light Touch” Forrester report
๏ OAuth is also not for authentication.
๏ OAuth is not used for authorization.
๏ OAuth is also not for federation.
๏ It’s for delegation, and delegation only!
37
OAuth – Is only for Delegated Access
Image credit - http://www.workpuzzle.com/peak-performance-learning-to-delegate-effectively-part-2/
๏ OpenID Connect is a modern federation specification
๏ A replacement for SAML and WS-Federation
๏ Simple identity layer on top of the OAuth 2.0 protocol.
๏ Defines a new token type – ID Token • Intended for clients (access and refresh tokens are opaque to the client)
• ID Token asserts user identity
• Based on Jason Web Token(JWT), digitally signed
• Contains how/when the user authenticated, properties to the user
38
Identity Federation – OpenID Connect
๏ Why APIs
๏ API Management, WSO2 API Manager
๏ SOA, Integration and API Management
๏ API Security
39
Summary
6
Links
๏ Enabling a Connected Business - http://wso2.com/landing/enabling-the-connected-business/
๏ Connected Business webinar series - http://wso2.com/landing/connected-business-webinar-series/
๏ Convert your enterprise to a Connected Business – http://wso2.com/whitepapers/convert-your-enterprise-to-a-connected-business/