2. Agenda
๏ Why APIs?
๏ API-Management
๏ Demo – WSO2 API-M
๏ SOA, ESB and Integration
๏ API and Integration convergence - API-Façade
๏ API Security
๏ Demo – API-Façade Pattern with WSO2 ESB and
WSO2-API-M
2
3. 3
Why APIs
๏ Desktop vs mobile users
Source : http://evaero.co/2014/06/mobile-tsunami/
4. 4
Why APIs
๏ Over 75% of Twitter traffic comes from third-
party applications
Source : http://www.programmableweb.com/news/twitter-reveals-75-our-traffic-api-3-billion-calls-day/2010/04/15
5. 5
Why APIs
๏ eBay: we expect to take over $20bn through
mobile in 2013
๏ eBay mobile/api traffic of over 6B is primarily handled
by WSO2 ESB - http://wso2.com/library/conference/2014/10/wso2con-usa-2014-
overcoming-challenges-of-moving-esb-to-the-cloud
Source : http://techcrunch.com/2013/01/16/ebay-and-paypal-expect-to-do-20-billion-each-in-2013-mobile-commerce/
7. ๏ Accelerate Mobile applications development
๏ Foster Internal Reuse and Share
๏ Unleash external developers Innovation
๏ Let external developers innovate around your APIs
and other APIs on the market
๏ Build new Channels and Ecosystems
๏ Create new Business Models
7
“API Economy” drivers
Source : https://appdevelopermagazine.com/1509/2014/6/1/What-You-Need-to-Know-About-APIs-to-Build-Mobile-Applications/
8. ๏ API – a business functionality delivered over the
internet
§ Standard protocols (HTTP),well defined but loose
contract, network accessible, designed for access by third
parties.
๏ A managed API
§ Advertised and subscribable, versioned
§ SLAs, Secured and authorized
§ Monitored and monetized
8
Understanding APIs
9. WSO2 API Manager
• The only complete, 100% open source API Management solution
• A cleanly integrated system which supports API publishing,
lifecycle management, developer portal, access control and
analytics
• Backed by High performance gateway
• A single node supports more than 100 million requests/day
• eBay handles 6 billions/day, a number which nearly doubles at peak season time.
• Includes Social enablement such as ratings and comments
• Supports single-sign on with Facebook, GoogleApps, etc.
• Named a Strong Performer in this space by Forrester in 2014
• Best API Design across all vendors
• Best Solution Cost for on-premise solution
• Extremely Satisfied customers
• Available on-premise, as managed deployment and as SaaS
application (beta)
9
10. API Management in a nutshell
10
Source : https://appdevelopermagazine.com/1509/2014/6/1/What-You-Need-to-Know-About-APIs-to-Build-Mobile-Applications/
11. API Ecosystem Model
From SOA lessons learned, best practices roles
• API Creator
• Designs, Implements, manages and versions API
• Understand business and technical requirements
• Cares about usage and scaling
• Seeks feedback, ratings, usage
• API Publisher
• Publishes, Promotes and encourages consumers to adopt APIs
• Determines usage patterns and how to best monetize asset
• Monitors and secures
• API Consumer
• Understands the interface definition
• Subscribes and connects application to API
• Monitors own usage and cost basis
• Provides feedback and ratings
11
18. ๏ SOA/ESB is a Success.
§ Discrete IT solutions are modeled as services
§ Accessible over the network via rigid contracts
§ Preferred way of integrating disparate systems
§ Many organization have benefitted from employing SOA
and ESB
18
Retrospect on SOA and ESB
19. ๏ Limitations of SOA/ESB
§ Designed for internal interactions
§ Strict contracts (WSDL, XSD)
§ Complex data formats (SOAP)
§ Not designed for frequent iterations
19
Retrospect on SOA and ESB
20. ๏ “APIs are the missing link for SOA success”
20
When APIs meet SOA
21. ๏ API cannot replace Integration
§ Integration of internal services, systems, data and cloud
apis
๏ Cannot mangle SOA for API Management needs
๏ Using SOA and API in combination is a key success
factor of a Connected Business
21
SOA and APIs : The Close Cousins
Image courtesy http://www.soa.com/images/enterprise-api-400.jpg
22. ๏ A simple interface to a complex system
22
API Façade Pattern
Image courtesy: http://regmedia.co.uk/2012/11/06/ipad4_2.jpg,
http://www.techautos.com/wp-content/uploads/2010/04/iPadMobo.jpg
23. ๏ API Façade in action with WSO2 Platform
23
API Façade Pattern
!
28. ๏ APIs might represent increased risk for the enterprise?
§ API exposes most of the core business functionalities to the external
world.
§ Effectively increases the number of potential calls and that increases
the attack surface.
๏ But API is a key success factor for a given organization
§ A well-designed API enables organizations to deliver its key business
directly to their employees, clients, partners and customers.
§ API Security must be a part of the API design
§ Rather than using the conventional security technologies, API
Security should be based on the dedicated security architecture.28
Why API Security
29. ๏ API Security is part of a larger information security
problem.
๏ You need to take additional measures to protect your
servers and the mobiles that run your apps in addition
to the steps taken to secure your API.
๏ Your firewalls, network, cloud infrastructure, or the
mobile platform may open you up to attack if you
don’t also strive to make them as secure as your API.
๏ (We will only discuss on the API-Security techniques.)
29
API Security is a part of a holistic approach
30. ๏ HTTP Basic/Digest Authentication
§ Accessing a protected API by sending a username and a password in
the HTTP Authorization header, along with the API invocation
request
30
API Security – Direct Authentication
31. ๏ Mutual Authentication
§ Two way SSL/client authentication
§ Based on certificates, server authenticate to client , client to
server
31
API Security – Mutual Authentication with
TLS
32. ๏ Both Direct and mutual auth. Only supports 2 parties
๏ What Happens if a 3rd party client/app wants to call
APIs on behalf of you?
32
API Security – How do we handle third-parties
33. ๏ Sharing your credentials with a third-part…
33
API Security – Pre-OAuth era
34. Need a better approach…
• Sharing clear text password of resource owners.
• Third-party applications are required to store the resource owner's credentials for
future use, typically a password in clear- text.
• Servers are required to support password authentication, despite the security
weaknesses created by passwords.
• Unlimited access to all the resources
• Third-party applications gain overly broad access to the resource owner's
protected resources, leaving resource owners without any ability to restrict
duration or access to a limited subset of resources.
• Revoking access for a given third-party
• Resource owners cannot revoke access to an individual third- party without
revoking access to all third-parties, and must do so by changing their password.
• Compromising of any third-party would compromise all
systems
• Compromise of any third-party application results in compromise of the end-user's
password and all of the data protected by that password.
34
36. ๏ OAuth 2.0 in action - FB and twitter
36
API Security - Identity Delegation
At base, OAuth lets a person delegate constrained
access from one app to another
37. ๏ OAuth is also not for authentication.
๏ OAuth is not used for authorization.
๏ OAuth is also not for federation.
๏ It’s for delegation, and delegation only!
37
OAuth – Is only for Delegated Access
Image credit - http://www.workpuzzle.com/peak-performance-learning-to-delegate-effectively-part-2/
38. ๏ OpenID Connect is a modern federation specification
๏ A replacement for SAML and WS-Federation
๏ Simple identity layer on top of the OAuth 2.0
protocol.
๏ Defines a new token type – ID Token
• Intended for clients (access and refresh tokens are opaque to the client)
• ID Token asserts user identity
• Based on Jason Web Token(JWT), digitally signed
• Contains how/when the user authenticated, properties to the user
38
Identity Federation – OpenID Connect
39. ๏ Why APIs
๏ API Management, WSO2 API Manager
๏ SOA, Integration and API Management
๏ API Security
39
Summary
40. 6
Links
๏ Enabling a Connected Business -
http://wso2.com/landing/enabling-the-connected-business/
๏ Connected Business webinar series -
http://wso2.com/landing/connected-business-webinar-series/
๏ Convert your enterprise to a Connected Business –
http://wso2.com/whitepapers/convert-your-enterprise-to-a-
connected-business/