- Jordan Valdma from TransferWise gave a talk about gateways, services, and APIs at TransferWise.
- The talk covered the history of microservices, designing RESTful APIs, and security considerations for microservices including OAuth 2.0 flows, JSON Web Tokens, and combining JWT with OAuth tokens.
- Tips were provided for designing RESTful APIs, gateways, services, and security including focusing on interfaces, getting early feedback, and decoupling from data sources.
2. Hi, I’m Jordan
TransferWise Global Partnerships Engineering
Estonian
(too few words)
MSc Data Sciences and Machine Learning
Like to organize events, hackathons, ..
3. This talk
● Intro TransferWise MSs
● RESTful API design
● MicroService Security
4. Dark Ages - Separation
of Monolith
Separate In-house and pub web
applications. Modular thinking.
First Micro Services
Beginning of life ..
Age of Enlightenment -
DevOps
People wake “Hey, I have a right
to release!”
Good night sleep
Don’t have to worry
about people hacking
Baby Boom of Services
“It’s so easy to make a...Service!”
Modern ages
State of the art tech,
separate codebases
Brief history of What We Have Done
6. TransferWise RESTFful API
1. Starting point: internal API
a. People were not satisfied with
b. Out of standard (rpc, errorhandling,..) couldn’t give it out
2. Formin focus group (strong stakeholders)
3. Designing resourse model:
a. Base layer is flexible
b. Orcestration layers on top
4. Design Interfaces-Collaborate-REPEAT
5. Implementation and tweaking
7. Tips
For Designing RESTful API
● “Interfaces over meetings”
● Get the teams talking!!
● Get alpha partners to give
fedbax on interfaces
● Implement against it
● SWAGGER or similar
● Start thinking about dev
support early.
11. MicroService auth -
starting point
ie. TransferService
curl /transfers/?createdByUserId={userId}
Gateway
curl /transfers -h "Authorization: Bearer $TOKEN"
TransferService
Is token OK?
Who is the user?
16. MicroService auth -
JWT + oAuth Token
ie. TransferService
curl /transfers/ -h "Authorization: Bearer $JWT_TOKEN"
Gateway
curl /transfers -h "Authorization: Bearer $TOKEN"
TransferService
AuthorizationServer Is token OK?
Who is the user?
curl /check_token?token=”$JWT_TOKEN”
Decode JWT& Validate oAuthToken
17. Tips
● Anonymous JWTs
● Pain with Authentication types
● Code grant for legacy token
swapFor Micro Service security
18. Tips
● Domain driven design
● Move on from testing
infrastructure into staging asap
● Proxy swagger upstream
● Decouple from datasource
early!
● Keep your gateway lean
● Plan ahead for multi-node
setup
For Gateways and Services