api management with wicked.haufe.io
TRANSCRIPT
API Management with wicked.haufe.io Microservices Architecture Day, November 22
Martin Danielsson (@donmartin76)
dev.haufe.com
github.com/Haufe-Lexware, github.com/DonMartin76
@HaufeDev
-Lexware
1 Intro – API ManagementWhy would you need and want API Management?
What does it do?
Provide discoverabilityand self-service Access to APIs for developers easily and
automatically
Monitor traffic to provide Usage Insights for individual apps and APIs. Who is using what how much?
Protect the API frommisuse by providing Security e.g. by wrapping it in security
procedures and policies.
Protect the runtime with Traffic Control e.g., by throttling for mobile apps
Use API Management to Decouple the inside from the outside, keeping interfaces (APIs) stable
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 3
API Management Key Components
API
PortalAPI Owners, Developers, Admin
Developer Self-Service
End User
ServiceEndpoints
http://www.apiacademy.co/resources/api-management-101-api-management-basics/
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 4
Our (API) Approach @Haufe
Don’t centralize
Group APIs byfunctionality
Let teams work independently, as long as
they follow our API Styleguide
Choose API Management by use case, not by dogma
Automate(Build, Test, Deploy,…)
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 5
Use Cases
SPA
M2M
Mobile
Don’t search for the
“One to rule them all”
Instead, go for
“Good enough”
And not to forget
“Evolutionary refinement”
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 6
2 wicked.haufe.ioOpen Source API Management - based on Mashape Kong
02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 8
02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 9
wicked.haufe.io - Features
“Normal Features”
API Gateway (Kong)Rate-Limiting, CORS,…
API KeysOAuth 2.0 Support
Developer Portal, Self SignupSocial Logins, ADFS Login
Swagger UI/OpenAPICollaboration FeaturesAuthorization Servers…
“Unique Selling Points”
Built to run in dockerDeployable on any premise
Configuration as CodeImmutable Servers
Built for CI/CDMulti-Environment Support
Fully Open SourceFlexible and Extensible
Awesome logo (thanks, Olaf!)
Main Use Cases - Machine to Machine
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 10
Consumer
API G
atew
ay
Backend Service
X-Ap
iKey
: abd
8263
6d…
X-Co
nsum
er-C
usto
mId
: con
sum
er1
Also works with the OAuth 2.0 Client Credentials Flow
API Keys orOAuth 2.0 Client Credentials
Machine to Machine - When to use?
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 11
TrustedConsumers
Server SideCommunication
End Usernot relevant(or alreadyauthN/Z’d)
User-Agent (Browser)
Use Case - Single Page Application (SPA) with Backend API
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 12
BackendAPI
AJAX/CORS Call
Is it really the SPA making those calls?
User Identity?
Consumer (SPA)
User-Agent (Browser)
SPA - OAuth 2.0 Implicit Flow
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 13
BackendAPI
API G
atew
ay
Auth
oriza
tion:
Bea
rer a
bd83
634.
..
X-Au
then
ticat
ed-U
serid
: don
mar
tin76
X-Co
nsum
er-C
usto
m-Id
: spa
-con
sum
er
Consumer (SPA)
User-Agent (Browser)
How do we get an Access Token? (OAuth 2.0 Implicit Flow)
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 14
Consumer (SPA)
APIGateway
AuthZ Server
Consumer (SPA) Browser Redirect (302)
Server Side Call
Authorize
AccessToken
https://yourcompany.com/spa/#access_token=abd83634...
https://api.yourcompany.com/auth/api?client_id=23876d7828db...&response_type=token
Authorization Server - What does it do?
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 15
“WHO?”Authenticate:
EstablishIdentity
Can delegate to dedicated Identity Provider: Google,
Twitter, Atlantic SSO,…
“WHAT?”Authorize:
What is the User Allowed to
Access?
Check Licenses, User Groups, Authorized
Scopes...Sometimes:
Authentication == Authorization
ACCESS TOKEN
User-Agent (Browser)
Actual Sequence - Atlantic as IdP
02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 16
Consumer (SPA)
AuthZ Server Atlantic
LoginAuthZ Server Consumer
(SPA)
License Server,...
https://yourcompany.com/spa/#access_token=abd83634...
3 DEMO TIME!Open Source API Management - based on Mashape Kong
Deployment Architecture
02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 18
HAPR
OXY PORTAL+
AUTH S.
KONG
API
SSL
TERM
.
SPA
Demo Prerequisites
2 Docker Hosts on Azure- API Management (DS_1)- API Backend (DS_1)
Google+ Web App CredentialsClient ID and Secret
GitHubWeb App CredentialsClient ID and Secret
SAML SP Registration with Atlantic (Integration Instance) Thanks, Dan!
APIm Configuration:- DNS entry- Let’s Encrypt Certs- GitHub Login
1-2 hours
02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 19
02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 20
Authorization Server functionality (for Implicit Grant)
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 22
Authorization Server
Provide a normalized profile (via CORS or OpenID Connect*)
Decouple Authentication from Application
(“WHO?”)
Refresh Access Tokens via heartbeat (via CORS,
NON STANDARD)
Decide on Authorization (if needed)(“WHAT”?)
OAuth 2.0 - The standard flows
02.05.2023 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 23
Client Credentials GrantMachine to Machine
Implicit GrantFor Mobile and SPAs (public clients)
Resource Owner Password GrantFor Mobile, trusted Apps
Authorization Code GrantWeb Sites, Mobile, to let 3rd Parties access
your data on your behalf
4 API Management ChallengesSome of them, not all
Requirements and Architectural Decisions
• What goes into APIm?• What goes into the
backend?• Which are the Reqs for
APIm? Project specific!
Deployment and Automation
• go.cd Pipeline design• Automation and
Deployment scripts• Adapting APIm to our
Architectural Principles
Evangelizing
• Why APIs? Why API Management?• Longer term benefits• Opening up, enabling, composing
| 02.05.2023 |API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 25
AppendixAdditional slides
Links to wicked.haufe.io
Microsite for “marketing”:http://wicked.haufe.io
Main Github site:https://github.com/Haufe-Lexware/wicked.haufe.io
Sample wicked portal:https://wicked-demo.haufe.io
Sample Authorization Server implementations:https://github.com/Haufe-Lexware/wicked.auth-passport (Social Logins)https://github.com/Haufe-Lexware/wicked.auth-saml (SAML SSO)https://github.com/Haufe-Lexware/wicked.auth-adfs (ADFS federation)
Sample SPA/API Application “markdown-notes”:https://github.com/DonMartin76/markdown-notes