API Management with wicked.haufe.io Microservices Architecture Day, November 22

Martin Danielsson (@donmartin76)

dev.haufe.com

github.com/Haufe-Lexware, github.com/DonMartin76

@HaufeDev

-Lexware

1 Intro – API ManagementWhy would you need and want API Management?

What does it do?

Provide discoverabilityand self-service Access to APIs for developers easily and

automatically

Monitor traffic to provide Usage Insights for individual apps and APIs. Who is using what how much?

Protect the API frommisuse by providing Security e.g. by wrapping it in security

procedures and policies.

Protect the runtime with Traffic Control e.g., by throttling for mobile apps

Use API Management to Decouple the inside from the outside, keeping interfaces (APIs) stable

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 3

API Management Key Components

API

PortalAPI Owners, Developers, Admin

Developer Self-Service

End User

ServiceEndpoints

http://www.apiacademy.co/resources/api-management-101-api-management-basics/

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 4

Our (API) Approach @Haufe

Don’t centralize

Group APIs byfunctionality

Let teams work independently, as long as

they follow our API Styleguide

Choose API Management by use case, not by dogma

Automate(Build, Test, Deploy,…)

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 5

Use Cases

SPA

M2M

Mobile

Don’t search for the

“One to rule them all”

Instead, go for

“Good enough”

And not to forget

“Evolutionary refinement”

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 6

2 wicked.haufe.ioOpen Source API Management - based on Mashape Kong

02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 8

02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 9

wicked.haufe.io - Features

“Normal Features”

API Gateway (Kong)Rate-Limiting, CORS,…

API KeysOAuth 2.0 Support

Developer Portal, Self SignupSocial Logins, ADFS Login

Swagger UI/OpenAPICollaboration FeaturesAuthorization Servers…

“Unique Selling Points”

Built to run in dockerDeployable on any premise

Configuration as CodeImmutable Servers

Built for CI/CDMulti-Environment Support

Fully Open SourceFlexible and Extensible

Awesome logo (thanks, Olaf!)

Main Use Cases - Machine to Machine

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 10

Consumer

API G

atew

ay

Backend Service

X-Ap

iKey

: abd

8263

6d…

X-Co

nsum

er-C

usto

mId

: con

sum

er1

Also works with the OAuth 2.0 Client Credentials Flow

API Keys orOAuth 2.0 Client Credentials

Machine to Machine - When to use?

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 11

TrustedConsumers

Server SideCommunication

End Usernot relevant(or alreadyauthN/Z’d)

User-Agent (Browser)

Use Case - Single Page Application (SPA) with Backend API

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 12

BackendAPI

AJAX/CORS Call

Is it really the SPA making those calls?

User Identity?

Consumer (SPA)

User-Agent (Browser)

SPA - OAuth 2.0 Implicit Flow

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 13

BackendAPI

API G

atew

ay

Auth

oriza

tion:

Bea

rer a

bd83

634.

..

X-Au

then

ticat

ed-U

serid

: don

mar

tin76

X-Co

nsum

er-C

usto

m-Id

: spa

-con

sum

er

Consumer (SPA)

User-Agent (Browser)

How do we get an Access Token? (OAuth 2.0 Implicit Flow)

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 14

Consumer (SPA)

APIGateway

AuthZ Server

Consumer (SPA) Browser Redirect (302)

Server Side Call

Authorize

AccessToken

https://yourcompany.com/spa/#access_token=abd83634...

https://api.yourcompany.com/auth/api?client_id=23876d7828db...&response_type=token

Authorization Server - What does it do?

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 15

“WHO?”Authenticate:

EstablishIdentity

Can delegate to dedicated Identity Provider: Google,

Twitter, Atlantic SSO,…

“WHAT?”Authorize:

What is the User Allowed to

Access?

Check Licenses, User Groups, Authorized

Scopes...Sometimes:

Authentication == Authorization

ACCESS TOKEN

User-Agent (Browser)

Actual Sequence - Atlantic as IdP

02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 16

Consumer (SPA)

AuthZ Server Atlantic

LoginAuthZ Server Consumer

(SPA)

License Server,...

https://yourcompany.com/spa/#access_token=abd83634...

3 DEMO TIME!Open Source API Management - based on Mashape Kong

Deployment Architecture

02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 18

HAPR

OXY PORTAL+

AUTH S.

KONG

API

SSL

TERM

.

SPA

Demo Prerequisites

2 Docker Hosts on Azure- API Management (DS_1)- API Backend (DS_1)

Google+ Web App CredentialsClient ID and Secret

GitHubWeb App CredentialsClient ID and Secret

SAML SP Registration with Atlantic (Integration Instance) Thanks, Dan!

APIm Configuration:- DNS entry- Let’s Encrypt Certs- GitHub Login

1-2 hours

02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 19

02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 20

Authorization Server functionality (for Implicit Grant)

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 22

Authorization Server

Provide a normalized profile (via CORS or OpenID Connect*)

Decouple Authentication from Application

(“WHO?”)

Refresh Access Tokens via heartbeat (via CORS,

NON STANDARD)

Decide on Authorization (if needed)(“WHAT”?)

OAuth 2.0 - The standard flows

02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 23

Client Credentials GrantMachine to Machine

Implicit GrantFor Mobile and SPAs (public clients)

Resource Owner Password GrantFor Mobile, trusted Apps

Authorization Code GrantWeb Sites, Mobile, to let 3rd Parties access

your data on your behalf

4 API Management ChallengesSome of them, not all

Requirements and Architectural Decisions

• What goes into APIm?• What goes into the

backend?• Which are the Reqs for

APIm? Project specific!

Deployment and Automation

• go.cd Pipeline design• Automation and

Deployment scripts• Adapting APIm to our

Architectural Principles

Evangelizing

• Why APIs? Why API Management?• Longer term benefits• Opening up, enabling, composing

| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 25

Thanks

AppendixAdditional slides

Links to wicked.haufe.io

Microsite for “marketing”:http://wicked.haufe.io

Main Github site:https://github.com/Haufe-Lexware/wicked.haufe.io

Sample wicked portal:https://wicked-demo.haufe.io

Sample Authorization Server implementations:https://github.com/Haufe-Lexware/wicked.auth-passport (Social Logins)https://github.com/Haufe-Lexware/wicked.auth-saml (SAML SSO)https://github.com/Haufe-Lexware/wicked.auth-adfs (ADFS federation)

Sample SPA/API Application “markdown-notes”:https://github.com/DonMartin76/markdown-notes