1. API Management with wicked.haufe.io
Microservices Architecture Day, November 22
Martin Danielsson (@donmartin76)
dev.haufe.com
github.com/Haufe-Lexware, github.com/DonMartin76
@HaufeDev
-Lexware
2. 1 Intro – API Management
Why would you need and want API Management?
3. What does it do?
Provide discoverability
and self-service Access to APIs for developers easily and
automatically
Monitor traffic to provide Usage Insights for individual apps and APIs.
Who is using what how much?
Protect the API from
misuse by providing Security e.g. by wrapping it in security
procedures and policies.
Protect the runtime with Traffic Control e.g., by throttling for mobile
apps
Use API Management to Decouple the inside from the outside,
keeping interfaces (APIs) stable
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 3
4. API Management Key Components
API
Portal
API Owners,
Developers,
Admin
Developer Self-Service
End User
Service
Endpoints
http://www.apiacademy.co/resources/api-management-101-api-management-basics/
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 4
5. Our (API) Approach @Haufe
Don’t centralize
Group APIs by
functionality
Let teams work
independently, as long as
they follow our API
Styleguide
Choose API Management
by use case, not by dogma
Automate
(Build, Test, Deploy,…)
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 5
6. Use Cases
SPA
M2M
Mobile
Don’t search for the
“One to rule them all”
Instead, go for
“Good enough”
And not to forget
“Evolutionary refinement”
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 6
9. wicked.haufe.io - Features
29.11.2016 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin Danielsson9
“Normal Features”
API Gateway (Kong)
Rate-Limiting, CORS,…
API Keys
OAuth 2.0 Support
Developer Portal, Self Signup
Social Logins, ADFS Login
Swagger UI/OpenAPI
Collaboration Features
Authorization Servers…
“Unique Selling Points”
Built to run in docker
Deployable on any premise
Configuration as Code
Immutable Servers
Built for CI/CD
Multi-Environment Support
Fully Open Source
Flexible and Extensible
Awesome logo (thanks, Olaf!)
10. Main Use Cases - Machine to Machine
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 10
Consumer
APIGateway
Backend
Service
X-ApiKey:abd82636d…
X-Consumer-CustomId:consumer1
Also works with the
OAuth 2.0 Client
Credentials Flow
11. API Keys or
OAuth 2.0 Client Credentials
Machine to Machine - When to use?
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 11
Trusted
Consumers
Server Side
Communication
End User
not relevant
(or already
authN/Z’d)
12. User-Agent
(Browser)
Use Case - Single Page Application (SPA) with Backend API
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 12
Backend
API
AJAX/CORS Call
Is it really the SPA
making those calls?
User Identity?
Consumer
(SPA)
13. User-Agent
(Browser)
SPA - OAuth 2.0 Implicit Flow
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 13
Backend
API
APIGateway
Authorization:Bearerabd83634...
X-Authenticated-Userid:donmartin76
X-Consumer-Custom-Id:spa-consumer
Consumer
(SPA)
14. User-Agent (Browser)
How do we get an Access Token? (OAuth 2.0 Implicit Flow)
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 14
Consumer
(SPA)
API
Gateway
AuthZ
Server
Consumer
(SPA) Browser Redirect (302)
Server Side Call
Authorize
Access
Token
https://yourcompany.com/spa/#access
_token=abd83634...
https://api.yourcompany.com/au
th/api?client_id=23876d7828db.
..&response_type=token
15. Authorization Server - What does it do?
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 15
“WHO?”
Authenticate:
Establish
Identity
Can delegate to
dedicated Identity
Provider: Google,
Twitter, Atlantic
SSO,…
“WHAT?”
Authorize:
What is the
User Allowed to
Access?
Check Licenses,
User Groups,
Authorized Scopes...
Sometimes:
Authentication ==
Authorization
ACCESS
TOKEN
16. User-Agent (Browser)
Actual Sequence - Atlantic as IdP
29.11.2016. API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 16
Consumer
(SPA)
AuthZ
Server Atlantic
Login
AuthZ
Server
Consumer
(SPA)
License
Server,...
https://yourcompany.com/spa/#access
_token=abd83634...
18. Deployment Architecture
29.11.2016. API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 18
HAPROXY
PORTAL+
AUTH S.
KONG
API
SSLTERM.
SPA
19. Demo Prerequisites
2 Docker Hosts on Azure
- API Management (DS_1)
- API Backend (DS_1)
Google+
Web App Credentials
Client ID and Secret
GitHub
Web App Credentials
Client ID and Secret
SAML SP Registration with
Atlantic (Integration Instance)
Thanks, Dan!
APIm Configuration:
- DNS entry
- Let’s Encrypt Certs
- GitHub Login
1-2
hours
29.11.2016 API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 19
20. 29.11.2016. API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 20
21. Authorization Server functionality (for Implicit Grant)
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 22
Authorization
Server
Provide a normalized
profile (via CORS or
OpenID Connect*)
Decouple Authentication
from Application
(“WHO?”)
Refresh Access Tokens via
heartbeat (via CORS,
NON STANDARD)
Decide on Authorization
(if needed)
(“WHAT”?)
22. OAuth 2.0 - The standard flows
29.11.2016. API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 23
Client Credentials Grant
Machine to Machine
Implicit Grant
For Mobile and SPAs (public clients)
Resource Owner Password Grant
For Mobile, trusted Apps
Authorization Code Grant
Web Sites, Mobile, to let 3rd Parties access
your data on your behalf
24. Requirements and
Architectural Decisions
• What goes into APIm?
• What goes into the
backend?
• Which are the Reqs for
APIm? Project specific!
Deployment and
Automation
• go.cd Pipeline design
• Automation and
Deployment scripts
• Adapting APIm to our
Architectural Principles
Evangelizing
• Why APIs? Why API Management?
• Longer term benefits
• Opening up, enabling, composing
| 29.11.2016 | API Management -- wicked.haufe.io -- Microservices Architecture Day -- Martin DanielssonSeite 25
27. Links to wicked.haufe.io
Microsite for “marketing”:
http://wicked.haufe.io
Main Github site:
https://github.com/Haufe-Lexware/wicked.haufe.io
Sample wicked portal:
https://wicked-demo.haufe.io
Sample Authorization Server implementations:
https://github.com/Haufe-Lexware/wicked.auth-passport (Social Logins)
https://github.com/Haufe-Lexware/wicked.auth-saml (SAML SSO)
https://github.com/Haufe-Lexware/wicked.auth-adfs (ADFS federation)
Sample SPA/API Application “markdown-notes”:
https://github.com/DonMartin76/markdown-notes
Editor's Notes
Just some aspects of it. There are more, depending on your use cases. Monetizing your assets is not something we focus on right now. Decoupling is, because it gives you freedom to act.
Basically, it‘s a gateway and a portal (and sometimes not even that).