SlideShare ist ein Scribd-Unternehmen logo

Building a Web API Platform with Open Source oAuth 2.0, REST, and NoSQL (JavaOne 2012)

Als PPTX, PDF herunterladen
Raymond Feng
Raymond Feng

More and more companies provide Web APIs for their core services as an effective way to foster an ecosystem, but you need to have an API platform to host and manage the Web APIs. Building one from scratch can be challenging. This session teaches you how to create your API platform based on oAuth 2.0, REST, and NoSQL technologies by using open source stacks, including Apache projects such as Tomcat, Tuscany, Wink, Amber, and HTTP clients together with NoSQL solutions such as MongoDB and Redis. From real-world experience, you’ll learn the key components and techniques for creating a robust and scalable Web API server.

Technologie
1 von 37
BUILDING A WEB API PLATFORM WITH OPEN SOURCE OAUTH 2.0, REST, AND NOSQL SESSION 6946 JAVAONE 2012
About the speakers  Raymond Feng Software Engineer – Shutterfly, Inc.  Staff  Member – Apache Software Foundation  Committer – Apache Tuscany, Wink, Amber  Co-author – Tuscany SCA In Action
Agenda  Why a Web API platform  The key components of Web API platform stack  OAuth 2.0  Http Reverse Proxy  Metrics  API discovering, exploring and playing  Q&A
Overview of a Web API Platform
Why a Web APIs platform?  Why Web API?  A great way to build the ecosystem  For some companies, APIs = products  Proliferation of mobile clients  Universal access for internal systems/web or mobile fronts/third party apps  This talk is about the platform/infrastructure behind the curtain to support Web API calls. It’s NOT about Web API design/development/security.
What’s behind the scene?  What’s behind an oAuth 2.0 protected REST API call?  GET https://api.<mycompany>.com/me/albums?acces s_token=<oAuth 2.0 access token>  POST https://api.<mycompany>.com/me/albums?acces s_token=<oAuth 2.0 access token>  Content-Type: application/json  Accept: application/json  Request body: {“name”: “Summer 2012”}
A Web API Platform QoS plugins HTTP Reverse Proxy Auth Protected Protected Resource Resource Metrics Client Client Application Throttling Application Mediation User Sign-in Page … Infrastructure Distributed data grid (service registry, metrics, quota/usage) Persistenc Security e (Identity management, client application registration, user authentication, token management, resource ACLs)
Key components  Authentication/Authorization (oAuth 2.0)  Reverse proxy (API dispatching)  Mediation  Monitoring  Analytics  Backend infrastructure  Client/Token management  Service registry  Metrics aggregation  Metrics visualization  Developer portal  Application registration  Dashboard  API documentation  API playground
API invocation flow  An API request (REST/JSON) comes in using HTTPS  Threat detection  Authentication (oAuth 2.0 access_token)  Authorization (token – scopes – resources)  Rate limiting  Caching  Mediation  Routing  Analytics  API Logic
oAuth 2.0
oAuth 2.0  Based on Apache Amber which implements the latest oAuth 2.0 spec  http://tools.ietf.org/html/draft-ietf-oauth-v2-31  http://incubator.apache.org/amber/  Additional SPIs are identified for oAuth 2.0 related metadata management and integration with the security infrastructure
oAuth 2.0 concepts  OAuth defines four roles:  resource owner: An entity capable of granting access to a protected resource (e.g. end-user).  resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.  client: An application making protected resource requests on behalf of the resource owner and with its authorization.  authorization server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
oAuth 2.0 flows/grant types  An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.  oAuth 2.0 specification defines four grant types:  authorization code  implicit  resource owner password credentials  client credentials
User cases: Trusted client applications  Trusted clients include:  Internal applications (running at the server side or client side)  Mobile clients  Mapping to oAuth 2.0  Clientcredentials for access token (super user)  Resource owner password credentials for access token (run as the “resource owner”)
Use cases: Third party applications  We plan to roll out web APIs to 3rd party applications  oAuth 2.0 will be used as the authentication/authorization mechanism  Mapping to oAuth 2.0  Authorization code flow  Implicit grant flow
oAuth 2.0 SPI – Client registration  Client applications will be registered  Contact e-mail  Application name/description  Callback URIs  Authentication scheme
oAuth 2.0 SPI – resource ACL  Determine if a resource is protected  Public  Client-id specific  Resource-owner specific  Who are the resource owners?  Scopes of the access {"scope": "media", {"id": "media_resource", "description": "Media", "operations": [ "ALL”], "expiresIn": 604800, "path": "/media", "requiredAccessLevel": 1, "scopes": [ "media”] "resourceOwnerAuthorizationRequired": } false }
oAuth 2.0 SPI – Authentication & Authorization  Make sure a client is registered  Make sure a token/code is valid  Authenticate a client using client_id/client_secret  Authenticate a resource owner using user name/password  Check the token against the protected resources (ACL)  Establish the principal/subject
oAuth 2.0 SPI – Token Management  Generate access/refresh tokens for a given client, resource owner, and scopes  Generate authorization codes for a given client, resource owner, and scopes  Look up the token metadata based on the token string  Look up the authorization code metadata based on the code string  Expiration  Refresh tokens  MongoDB as the backend store for tokens
oAuth 2.0 infrastructure Client Client Authorization Registration Client Registration Server Manager Registrations Endpoint Resourc e Owner Authorization Users Authenticator Endpoint (Resource Protected Owners) Resources User Internet (such as Agent user media (browser) or address Token Endpoint Token Tokens and book) Manager Authorization Codes Resource Client Access Manager Resource oAuth 2.0 Permissions Resource and Scope Filter Definitions HTTP Resource proxy Server
Mapping oAuth 2.0 scopes Scope Scope Scope Protected Protected Resource oAuth 2.0 Protected Resource token GET /services/addressbook/… Resource POST/services/addressbook/… Client GET /services/media/… … … Resource Owner See an example at: http://developers.facebook.com/docs/reference/api/permissions/
oAuth 2.0 metadata model
Client/Resource management (administrative)  We need to have UI to  manage the resource endpoints (URI patterns and HTTP operations)  define oAuth 2.0 scopes to map to a list of resource access permissions  Manage client applications (enable/disable, setting quota, …)  Manage access tokens/authorization codes
Dashboard  Monitor the API usages (administrative)  By client id  By user id  By resource URIs  By timeline  Let developers see their client applications (developer)  Registrations  Usages  Granted permissions
REST APIs for API management  Get the list of defined scopes  Display a scope  Get the list of defined resources  Display a token  Display an authorization code  Display a client registration  Get the list of registered clients for a given user  List tokens by client id/user id  List authorization codes by client id/user id  List granted permissions
Performance
oAuth 2.0
HTTP reverse proxy  DO NOT deploy the services on the api server directly  API server dispatches API calls to the back- end services  Open source tools:  Apache http components: http://hc.apache.org/
HTTP reverse proxy – connection management  HTTP connection pool  Persistent connections (keep-alive)  Check the keep alive settings at the backend web servers  Chunked transfer encoding support  Some Nginx servers don’t support chunked mode  Make sure the http entity is “consumed” so that the http connection will be released back to the pool  http://hc.apache.org/httpcomponents-client- ga/tutorial/html/connmgmt.html
Routing/Proxying  URL mapping  service registry  URL templating <uriMapping> <source>/addressbook/{uid}</source> <target>http://backend.xyz.com/services/addressbook/{uid}</target> </uriMapping>  api.xyz.com/addressbook/me/contatcs  The “me” or “self” will be replaced with the resource owner from the oAuth 2.0 access token
Sync vs. Async  Sync:  Servlet 2.5 and Apache HTTP client 4.x  Async:  Servlet 3.0 async filter (Tomcat 7.0.x or Jetty 8.x)  Apache HttpAsyncClient 4.0 beta 2  final AsyncContext asyncContext = request.startAsync(); asyncContext.start(new Runnable() { public void run() { asyncDispatch(asyncContext, target); } });
Java vs. Node.js  Which one is better?  Overhead  Scalability  Servlet 2.5 sync mode + Apache http client  Servlet 3.0 async mode + Apache http async client  Node.js event-driven mode + http
Mediations  Some examples:  Protocol/data translation  XML  JSON  API tracking  https://github.com/codahale/metrics  http://graphite.wikidot.com/  Analytics  CORS enablement
API discovery and documentation
API discovery and documentation  Some apis/tools that help developers to discover and explore the apis  A spec to describe the apis (urls, methods, input/output/exception data model)  A UI to discover and explore the apis  Some integration with the api implementation stacks such as JAX-RS to introspect the api signatures  Client code generation tool  Open source tools  http://swagger.wordnik.com/  https://developers.google.com/discovery/
Swagger UI
Q&A  Thank you!

Empfohlen

Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and AuthorizationConFoo
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Design-first API Development using Swagger and Node
Design-first API Development using Swagger and NodeDesign-first API Development using Swagger and Node
Design-first API Development using Swagger and NodeApigee | Google Cloud
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Architecture for a Platform Providing Things As A Service
An Architecture for a Platform Providing Things As A ServiceAn Architecture for a Platform Providing Things As A Service
An Architecture for a Platform Providing Things As A ServiceJavier Nieto de Santos
 
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+ConFoo
 

Empfohlen

Opensource Authentication and Authorization
Opensource Authentication and AuthorizationOpensource Authentication and Authorization
Opensource Authentication and AuthorizationConFoo
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Stateless authentication for microservices - GR8Conf 2015
Stateless authentication for microservices - GR8Conf 2015Alvaro Sanchez-Mariscal
 
Design-first API Development using Swagger and Node
Design-first API Development using Swagger and NodeDesign-first API Development using Swagger and Node
Design-first API Development using Swagger and NodeApigee | Google Cloud
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
An Architecture for a Platform Providing Things As A Service
An Architecture for a Platform Providing Things As A ServiceAn Architecture for a Platform Providing Things As A Service
An Architecture for a Platform Providing Things As A ServiceJavier Nieto de Santos
 
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+ConFoo
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
Google Map Code
Google Map CodeGoogle Map Code
Google Map CodeWeb Development Phoenix
 
0010 la era_de_los_smart_devices
0010 la era_de_los_smart_devices0010 la era_de_los_smart_devices
0010 la era_de_los_smart_devicesGeneXus
 
Teacher Dashboard for Google Apps overview june 2011
Teacher Dashboard for Google Apps overview june 2011Teacher Dashboard for Google Apps overview june 2011
Teacher Dashboard for Google Apps overview june 2011Hapara
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
Jlook open api server platform
Jlook open api server platformJlook open api server platform
Jlook open api server platformHongSeong Jeon
 
Jlook open api platform-sysdevguide
Jlook open api platform-sysdevguideJlook open api platform-sysdevguide
Jlook open api platform-sysdevguideHongSeong Jeon
 
Open platform
Open platformOpen platform
Open platformJoseph Chiang
 
Nuclear power station(Components)
Nuclear power station(Components)Nuclear power station(Components)
Nuclear power station(Components)Parth Patel
 
Api barcelona
Api barcelonaApi barcelona
Api barcelonagmenvielle
 
I want to be an efficient developer - APIdays Barcelona version
I want to be an efficient developer - APIdays Barcelona versionI want to be an efficient developer - APIdays Barcelona version
I want to be an efficient developer - APIdays Barcelona versionQuentin Adam
 
usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)
usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)
usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)javier ramirez
 
Enhance the browser_experience
Enhance the browser_experienceEnhance the browser_experience
Enhance the browser_experienceHTML5 Spain
 
Patent wars, Innovation, Roads
Patent wars, Innovation, RoadsPatent wars, Innovation, Roads
Patent wars, Innovation, RoadsJonathan Bourguignon
 
The Lincoln Institue - 10 Ways to Regenerate America's Legacy Cities
The Lincoln Institue - 10 Ways to Regenerate America's Legacy CitiesThe Lincoln Institue - 10 Ways to Regenerate America's Legacy Cities
The Lincoln Institue - 10 Ways to Regenerate America's Legacy CitiesCassidy Swanson
 
APIfying the Web with import.io (at APIdays mediterranea)
APIfying the Web with import.io (at APIdays mediterranea)APIfying the Web with import.io (at APIdays mediterranea)
APIfying the Web with import.io (at APIdays mediterranea)Ignacio Elola Villar
 
AIL Platform APIDays Mediterranea
AIL Platform APIDays MediterraneaAIL Platform APIDays Mediterranea
AIL Platform APIDays MediterraneaJoan Protasio
 
Build a Restfull app using drupal
Build a Restfull app using drupalBuild a Restfull app using drupal
Build a Restfull app using drupalAlvaro J Hurtado Villegas
 
Open platform/API overview
Open platform/API overviewOpen platform/API overview
Open platform/API overviewSamsung Electronics
 
Working with LoopBack Models
Working with LoopBack ModelsWorking with LoopBack Models
Working with LoopBack ModelsRaymond Feng
 
Building a Node.js API backend with LoopBack in 5 Minutes
Building a Node.js API backend with LoopBack in 5 MinutesBuilding a Node.js API backend with LoopBack in 5 Minutes
Building a Node.js API backend with LoopBack in 5 MinutesRaymond Feng
 

Weitere ähnliche Inhalte

Andere mochten auch

Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
0010 la era_de_los_smart_devices
0010 la era_de_los_smart_devices0010 la era_de_los_smart_devices
0010 la era_de_los_smart_devicesGeneXus
 
Teacher Dashboard for Google Apps overview june 2011
Teacher Dashboard for Google Apps overview june 2011Teacher Dashboard for Google Apps overview june 2011
Teacher Dashboard for Google Apps overview june 2011Hapara
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityApigee | Google Cloud
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOWSO2
 
Jlook open api server platform
Jlook open api server platformJlook open api server platform
Jlook open api server platformHongSeong Jeon
 
Jlook open api platform-sysdevguide
Jlook open api platform-sysdevguideJlook open api platform-sysdevguide
Jlook open api platform-sysdevguideHongSeong Jeon
 
Nuclear power station(Components)
Nuclear power station(Components)Nuclear power station(Components)
Nuclear power station(Components)Parth Patel
 
I want to be an efficient developer - APIdays Barcelona version
I want to be an efficient developer - APIdays Barcelona versionI want to be an efficient developer - APIdays Barcelona version
I want to be an efficient developer - APIdays Barcelona versionQuentin Adam
 
usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)
usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)
usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)javier ramirez
 
Enhance the browser_experience
Enhance the browser_experienceEnhance the browser_experience
Enhance the browser_experienceHTML5 Spain
 
The Lincoln Institue - 10 Ways to Regenerate America's Legacy Cities
The Lincoln Institue - 10 Ways to Regenerate America's Legacy CitiesThe Lincoln Institue - 10 Ways to Regenerate America's Legacy Cities
The Lincoln Institue - 10 Ways to Regenerate America's Legacy CitiesCassidy Swanson
 
APIfying the Web with import.io (at APIdays mediterranea)
APIfying the Web with import.io (at APIdays mediterranea)APIfying the Web with import.io (at APIdays mediterranea)
APIfying the Web with import.io (at APIdays mediterranea)Ignacio Elola Villar
 
AIL Platform APIDays Mediterranea
AIL Platform APIDays MediterraneaAIL Platform APIDays Mediterranea
AIL Platform APIDays MediterraneaJoan Protasio
 

Andere mochten auch (20)

Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
Google Map Code
Google Map CodeGoogle Map Code
Google Map Code
 
0010 la era_de_los_smart_devices
0010 la era_de_los_smart_devices0010 la era_de_los_smart_devices
0010 la era_de_los_smart_devices
 
Teacher Dashboard for Google Apps overview june 2011
Teacher Dashboard for Google Apps overview june 2011Teacher Dashboard for Google Apps overview june 2011
Teacher Dashboard for Google Apps overview june 2011
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
 
Patterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSOPatterns and Practices in Mobile SSO
Patterns and Practices in Mobile SSO
 
Jlook open api server platform
Jlook open api server platformJlook open api server platform
Jlook open api server platform
 
Jlook open api platform-sysdevguide
Jlook open api platform-sysdevguideJlook open api platform-sysdevguide
Jlook open api platform-sysdevguide
 
Open platform
Open platformOpen platform
Open platform
 
Nuclear power station(Components)
Nuclear power station(Components)Nuclear power station(Components)
Nuclear power station(Components)
 
Api barcelona
Api barcelonaApi barcelona
Api barcelona
 
I want to be an efficient developer - APIdays Barcelona version
I want to be an efficient developer - APIdays Barcelona versionI want to be an efficient developer - APIdays Barcelona version
I want to be an efficient developer - APIdays Barcelona version
 
usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)
usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)
usable rest apis, by Javier Ramirez from teowaki (Apidays Mediterranea)
 
Enhance the browser_experience
Enhance the browser_experienceEnhance the browser_experience
Enhance the browser_experience
 
Patent wars, Innovation, Roads
Patent wars, Innovation, RoadsPatent wars, Innovation, Roads
Patent wars, Innovation, Roads
 
The Lincoln Institue - 10 Ways to Regenerate America's Legacy Cities
The Lincoln Institue - 10 Ways to Regenerate America's Legacy CitiesThe Lincoln Institue - 10 Ways to Regenerate America's Legacy Cities
The Lincoln Institue - 10 Ways to Regenerate America's Legacy Cities
 
APIfying the Web with import.io (at APIdays mediterranea)
APIfying the Web with import.io (at APIdays mediterranea)APIfying the Web with import.io (at APIdays mediterranea)
APIfying the Web with import.io (at APIdays mediterranea)
 
AIL Platform APIDays Mediterranea
AIL Platform APIDays MediterraneaAIL Platform APIDays Mediterranea
AIL Platform APIDays Mediterranea
 
Build a Restfull app using drupal
Build a Restfull app using drupalBuild a Restfull app using drupal
Build a Restfull app using drupal
 
Open platform/API overview
Open platform/API overviewOpen platform/API overview
Open platform/API overview
 

Mehr von Raymond Feng

Working with LoopBack Models
Working with LoopBack ModelsWorking with LoopBack Models
Working with LoopBack ModelsRaymond Feng
 
Building a Node.js API backend with LoopBack in 5 Minutes
Building a Node.js API backend with LoopBack in 5 MinutesBuilding a Node.js API backend with LoopBack in 5 Minutes
Building a Node.js API backend with LoopBack in 5 MinutesRaymond Feng
 
Data Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsData Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsRaymond Feng
 
Building Flexible APIs for Web 2.x/Cloud Applications (JavaOne 2011 Session ...
Building Flexible APIs for Web 2.x/Cloud Applications (JavaOne 2011 Session ...Building Flexible APIs for Web 2.x/Cloud Applications (JavaOne 2011 Session ...
Building Flexible APIs for Web 2.x/Cloud Applications (JavaOne 2011 Session ...Raymond Feng
 
RESTful SCA with Apache Tuscany
RESTful SCA with Apache TuscanyRESTful SCA with Apache Tuscany
RESTful SCA with Apache TuscanyRaymond Feng
 
Data Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsData Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsRaymond Feng
 
Apache Tuscany 2.x Extensibility And SPIs
Apache Tuscany 2.x Extensibility And SPIsApache Tuscany 2.x Extensibility And SPIs
Apache Tuscany 2.x Extensibility And SPIsRaymond Feng
 
OSGi Enablement For Apache Tuscany
OSGi Enablement For Apache TuscanyOSGi Enablement For Apache Tuscany
OSGi Enablement For Apache TuscanyRaymond Feng
 
OSGi Remote Services With SCA using Apache Tuscany
OSGi Remote Services With SCA using Apache TuscanyOSGi Remote Services With SCA using Apache Tuscany
OSGi Remote Services With SCA using Apache TuscanyRaymond Feng
 

Mehr von Raymond Feng (9)

Working with LoopBack Models
Working with LoopBack ModelsWorking with LoopBack Models
Working with LoopBack Models
 
Building a Node.js API backend with LoopBack in 5 Minutes
Building a Node.js API backend with LoopBack in 5 MinutesBuilding a Node.js API backend with LoopBack in 5 Minutes
Building a Node.js API backend with LoopBack in 5 Minutes
 
Data Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsData Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite Applications
 
Building Flexible APIs for Web 2.x/Cloud Applications (JavaOne 2011 Session ...
Building Flexible APIs for Web 2.x/Cloud Applications (JavaOne 2011 Session ...Building Flexible APIs for Web 2.x/Cloud Applications (JavaOne 2011 Session ...
Building Flexible APIs for Web 2.x/Cloud Applications (JavaOne 2011 Session ...
 
RESTful SCA with Apache Tuscany
RESTful SCA with Apache TuscanyRESTful SCA with Apache Tuscany
RESTful SCA with Apache Tuscany
 
Data Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite ApplicationsData Binding Unleashed for Composite Applications
Data Binding Unleashed for Composite Applications
 
Apache Tuscany 2.x Extensibility And SPIs
Apache Tuscany 2.x Extensibility And SPIsApache Tuscany 2.x Extensibility And SPIs
Apache Tuscany 2.x Extensibility And SPIs
 
OSGi Enablement For Apache Tuscany
OSGi Enablement For Apache TuscanyOSGi Enablement For Apache Tuscany
OSGi Enablement For Apache Tuscany
 
OSGi Remote Services With SCA using Apache Tuscany
OSGi Remote Services With SCA using Apache TuscanyOSGi Remote Services With SCA using Apache Tuscany
OSGi Remote Services With SCA using Apache Tuscany
 

Kürzlich hochgeladen

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Building a Web API Platform with Open Source oAuth 2.0, REST, and NoSQL (JavaOne 2012)

  • 1. BUILDING A WEB API PLATFORM WITH OPEN SOURCE OAUTH 2.0, REST, AND NOSQL SESSION 6946 JAVAONE 2012
  • 2. About the speakers  Raymond Feng Software Engineer – Shutterfly, Inc.  Staff  Member – Apache Software Foundation  Committer – Apache Tuscany, Wink, Amber  Co-author – Tuscany SCA In Action
  • 3. Agenda  Why a Web API platform  The key components of Web API platform stack  OAuth 2.0  Http Reverse Proxy  Metrics  API discovering, exploring and playing  Q&A
  • 4. Overview of a Web API Platform
  • 5. Why a Web APIs platform?  Why Web API?  A great way to build the ecosystem  For some companies, APIs = products  Proliferation of mobile clients  Universal access for internal systems/web or mobile fronts/third party apps  This talk is about the platform/infrastructure behind the curtain to support Web API calls. It’s NOT about Web API design/development/security.
  • 6. What’s behind the scene?  What’s behind an oAuth 2.0 protected REST API call?  GET https://api.<mycompany>.com/me/albums?acces s_token=<oAuth 2.0 access token>  POST https://api.<mycompany>.com/me/albums?acces s_token=<oAuth 2.0 access token>  Content-Type: application/json  Accept: application/json  Request body: {“name”: “Summer 2012”}
  • 7. A Web API Platform QoS plugins HTTP Reverse Proxy Auth Protected Protected Resource Resource Metrics Client Client Application Throttling Application Mediation User Sign-in Page … Infrastructure Distributed data grid (service registry, metrics, quota/usage) Persistenc Security e (Identity management, client application registration, user authentication, token management, resource ACLs)
  • 8. Key components  Authentication/Authorization (oAuth 2.0)  Reverse proxy (API dispatching)  Mediation  Monitoring  Analytics  Backend infrastructure  Client/Token management  Service registry  Metrics aggregation  Metrics visualization  Developer portal  Application registration  Dashboard  API documentation  API playground
  • 9. API invocation flow  An API request (REST/JSON) comes in using HTTPS  Threat detection  Authentication (oAuth 2.0 access_token)  Authorization (token – scopes – resources)  Rate limiting  Caching  Mediation  Routing  Analytics  API Logic
  • 11. oAuth 2.0  Based on Apache Amber which implements the latest oAuth 2.0 spec  http://tools.ietf.org/html/draft-ietf-oauth-v2-31  http://incubator.apache.org/amber/  Additional SPIs are identified for oAuth 2.0 related metadata management and integration with the security infrastructure
  • 12. oAuth 2.0 concepts  OAuth defines four roles:  resource owner: An entity capable of granting access to a protected resource (e.g. end-user).  resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.  client: An application making protected resource requests on behalf of the resource owner and with its authorization.  authorization server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
  • 13. oAuth 2.0 flows/grant types  An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.  oAuth 2.0 specification defines four grant types:  authorization code  implicit  resource owner password credentials  client credentials
  • 14. User cases: Trusted client applications  Trusted clients include:  Internal applications (running at the server side or client side)  Mobile clients  Mapping to oAuth 2.0  Clientcredentials for access token (super user)  Resource owner password credentials for access token (run as the “resource owner”)
  • 15. Use cases: Third party applications  We plan to roll out web APIs to 3rd party applications  oAuth 2.0 will be used as the authentication/authorization mechanism  Mapping to oAuth 2.0  Authorization code flow  Implicit grant flow
  • 16. oAuth 2.0 SPI – Client registration  Client applications will be registered  Contact e-mail  Application name/description  Callback URIs  Authentication scheme
  • 17. oAuth 2.0 SPI – resource ACL  Determine if a resource is protected  Public  Client-id specific  Resource-owner specific  Who are the resource owners?  Scopes of the access {"scope": "media", {"id": "media_resource", "description": "Media", "operations": [ "ALL”], "expiresIn": 604800, "path": "/media", "requiredAccessLevel": 1, "scopes": [ "media”] "resourceOwnerAuthorizationRequired": } false }
  • 18. oAuth 2.0 SPI – Authentication & Authorization  Make sure a client is registered  Make sure a token/code is valid  Authenticate a client using client_id/client_secret  Authenticate a resource owner using user name/password  Check the token against the protected resources (ACL)  Establish the principal/subject
  • 19. oAuth 2.0 SPI – Token Management  Generate access/refresh tokens for a given client, resource owner, and scopes  Generate authorization codes for a given client, resource owner, and scopes  Look up the token metadata based on the token string  Look up the authorization code metadata based on the code string  Expiration  Refresh tokens  MongoDB as the backend store for tokens
  • 20. oAuth 2.0 infrastructure Client Client Authorization Registration Client Registration Server Manager Registrations Endpoint Resourc e Owner Authorization Users Authenticator Endpoint (Resource Protected Owners) Resources User Internet (such as Agent user media (browser) or address Token Endpoint Token Tokens and book) Manager Authorization Codes Resource Client Access Manager Resource oAuth 2.0 Permissions Resource and Scope Filter Definitions HTTP Resource proxy Server
  • 21. Mapping oAuth 2.0 scopes Scope Scope Scope Protected Protected Resource oAuth 2.0 Protected Resource token GET /services/addressbook/… Resource POST/services/addressbook/… Client GET /services/media/… … … Resource Owner See an example at: http://developers.facebook.com/docs/reference/api/permissions/
  • 23. Client/Resource management (administrative)  We need to have UI to  manage the resource endpoints (URI patterns and HTTP operations)  define oAuth 2.0 scopes to map to a list of resource access permissions  Manage client applications (enable/disable, setting quota, …)  Manage access tokens/authorization codes
  • 24. Dashboard  Monitor the API usages (administrative)  By client id  By user id  By resource URIs  By timeline  Let developers see their client applications (developer)  Registrations  Usages  Granted permissions
  • 25. REST APIs for API management  Get the list of defined scopes  Display a scope  Get the list of defined resources  Display a token  Display an authorization code  Display a client registration  Get the list of registered clients for a given user  List tokens by client id/user id  List authorization codes by client id/user id  List granted permissions
  • 28. HTTP reverse proxy  DO NOT deploy the services on the api server directly  API server dispatches API calls to the back- end services  Open source tools:  Apache http components: http://hc.apache.org/
  • 29. HTTP reverse proxy – connection management  HTTP connection pool  Persistent connections (keep-alive)  Check the keep alive settings at the backend web servers  Chunked transfer encoding support  Some Nginx servers don’t support chunked mode  Make sure the http entity is “consumed” so that the http connection will be released back to the pool  http://hc.apache.org/httpcomponents-client- ga/tutorial/html/connmgmt.html
  • 30. Routing/Proxying  URL mapping  service registry  URL templating <uriMapping> <source>/addressbook/{uid}</source> <target>http://backend.xyz.com/services/addressbook/{uid}</target> </uriMapping>  api.xyz.com/addressbook/me/contatcs  The “me” or “self” will be replaced with the resource owner from the oAuth 2.0 access token
  • 31. Sync vs. Async  Sync:  Servlet 2.5 and Apache HTTP client 4.x  Async:  Servlet 3.0 async filter (Tomcat 7.0.x or Jetty 8.x)  Apache HttpAsyncClient 4.0 beta 2  final AsyncContext asyncContext = request.startAsync(); asyncContext.start(new Runnable() { public void run() { asyncDispatch(asyncContext, target); } });
  • 32. Java vs. Node.js  Which one is better?  Overhead  Scalability  Servlet 2.5 sync mode + Apache http client  Servlet 3.0 async mode + Apache http async client  Node.js event-driven mode + http
  • 33. Mediations  Some examples:  Protocol/data translation  XML  JSON  API tracking  https://github.com/codahale/metrics  http://graphite.wikidot.com/  Analytics  CORS enablement
  • 35. API discovery and documentation  Some apis/tools that help developers to discover and explore the apis  A spec to describe the apis (urls, methods, input/output/exception data model)  A UI to discover and explore the apis  Some integration with the api implementation stacks such as JAX-RS to introspect the api signatures  Client code generation tool  Open source tools  http://swagger.wordnik.com/  https://developers.google.com/discovery/
  • 37. Q&A  Thank you!