Digital transformation is a mandatory requirement for all enterprises in today’s consumer-driven economy. Once you accept this fact and evangelize it within your company, you need to start thinking about how to take steps towards becoming digital. The first step would be to expose your core functionality to a wider audience in a controlled and secure manner. The next step would be to have your value-added functionality ready to be seamlessly exposed. To do this you need to have a strong integration and API management strategy that goes hand in hand with each other.
This workshop in Colombo -
Focused on aspects of integration and API management in the context of digital transformation
Discussed how to create a successful integration and API strategy for digital transformation
Explored how WSO2 can help enforce your strategy
Setting the Foundation for Digital Transformation Through API Management and Integration
1. Setting the Foundation for Digital
Transformation
Through API Management and
Integration
Nuwan Dias
@nuwandias
Director - WSO2
2. Agenda
● What is Digital Transformation
● Why and How APIs play a key role in Digital Transformation
● API Management Overview
● API Management in Practise
● Discussion Forum and Future Plans
2
10. OPEN TECHNOLOGY FOR AGILE DIGITAL BUSINESS
10
Platform enable your
digital business with
microservices and micro
integrations
Manage identity,
security, and privacy
across your digital
business
Make mobile and IoT
devices integral to your
digital business
Create real-time,
intelligent, actionable
business insights and data
products
Build internal and external
developer ecosystems
with an API marketplace
11. APIs hold the key to Digital Transformation
11
Build internal and external
developer ecosystems
with an API marketplace
12. 12
Present Day Enterprise Architecture
Analytics
Continuous-*
Security &
Access Management
API / Service discovery
Dev toolsDevops tools
Service router
API Gateway
Core
Microservices
Data
Container(s)
Delivery channels Digital Products
Messaging Channels Integration
MicroservicesExisting Services
14. 14
The modern API
● RESTful & JSON savvy - being lightweight, REST style conformant
● Well documented - Methods, operations, responses, error codes etc
● Manageable (life-cycle, version)
● Discoverable - Searchable, testable
● Measurable
● Secured - Multiple security protocol support, transformable
15. WSO2 API Manager
Design, create, publish and manage APIs to
unlock the true value of your digital assets
16. 16
● Currently at version 2.1.0 with over 6 years of engineering improvements
across 15 stable releases
● Geo distributed and clustered deployments
○ In production at StubHub / Verizon / Motorola / BYU / BNY
● Same code base at WSO2 API Cloud running with four 9s uptime
● One major and 3 minor releases per year
● Automated deployment with puppet
● Containerized with Docker
Battle hardened
17. 17
WSO2 API Manager
● Available as a single
downloadable package
● Available as a cloud / SaaS
solution
● Flexible deployment choices
● High performance gateway
● API governance, marketplace
solution
18. 18
Cloud First or Start On-Prem
● Multi-tenanted, shared
everything
● WSO2 Hosted and managed
● Pay as you go
● Multi-region availability
● VPN tunnel to private DC
● Guaranteed uptime
● Limited options in customizing
● Hybrid Cloud
● Privately hosted
● WSO2 managed
● Upgrades, patches installation
● Guaranteed uptime
● Full flexibility in customization
● Better control
● Self hosted
● Self managed
● Full flexibility
● Dev-ops learning curve
● Self managed upgrades
http://wso2.com/api-management/cloud/
https://docs.wso2.com/display/ManagedCl
oud/WSO2+Managed+Cloud+Documenta
tion
21. 21
● Start with an existing endpoint/contract or design and prototype a new API
● Exposing SOAP services (convert to REST or as a passthrough)
● Exposing streaming APIs (Websocket endpoints)
Creating APIs
22. 22
● API Design - Over the wizard & with swagger
Creating APIs
23. 23
● Point to a production backend or prototype at the gateway
Managed or prototyped
25. 25
● Encapsulate the client application
● Associates OAuth2 keys
● Support different integration
patterns for application security
through OAuth grant types
● Pre-generated access tokens for
testing
Client Application
27. 27
● Hotel LaVilla wants to provide a
personalized user experience to its guests
through digital means to enhance user
satisfaction.
Business Objective
28. 28
The hotel wants to get rid of manual check-in
check-out processes which currently involve
human interaction and consumes a
considerable amount of time.
29. 29
• Create mobile app to handle check-in and
check-out
• Allow mobile app to control
– Door locking and unlocking
– Switch on and switch off lights
– Control window curtains
– Room service
– Reservation of hotel cars, spa, private dining
etc
Technical Requirements
31. 31
The hotel wants to provide a personalized user
experience to its guests by welcoming them by
their name and by setting up an environment
that reflects their personal choices on
entertainment, meals, travel, etc.
32. 32
● Expose selected APIs to external third party
app developers only.
● Ensure protected API’s resources are
accessible by allowed users only.
Technical Requirements
34. 34
The hotel wants to enhance its reach by
encouraging partner web sites such as
TripAdvisor, Booking.com, etc to advertise the
hotel and allow bookings through them.
35. 35
● Prevent guests’ credentials being entered at
third party apps/websites.
● Rate Limiting for the Reservations API by
partner.
Technical Requirements
36. Security: Access Delegation
● Secure Trusted Clients
● Secure Untrusted Clients
● Unsecure Clients
● System to System Auth/z
36
People Apps
37. 37
● Resource Owner Password Credentials
● Client Credentials
● Authorization Code
● Implicit Grant
OAuth2.0 Grant Types
38. 38
● The resource owner password credentials
grant type is suitable in cases where the
resource owner has a trust relationship with
the client (e.g., a service’s own mobile client)
and in situations where client can obtain the
resource owner credentials.
Resource Owner Password Credentials
39. 39
● This grant is suitable for machine-to-
machine authentication or for a client
making requests to an API that does not
require the user’s permission. This grant
should be allowed for use only by trusted
clients.
Client Credentials
40. 40
● The authorization code grant type is
optimized for confidential clients.
● This grant type is suitable when the
resource owner is a user and the client is a
website.
Authorization Code
42. 42
● The implicit grant type is optimized for
public clients known to operate a particular
redirection URI.
● It is mainly used for clients that are not
capable of keeping the client’s own
credentials secret; for example a 'JavaScript
only' application
Implicit Grant
47. 47
Rate Limiting: Front End
● Monetization
● Burst Control
● Fair Usage Policy
● Geographical Distribution
● Distribution by Device Type
People Apps Gateway
48. 48
Rate Limiting: Back-End
● Prevent Total Service
Outage at Peaks
● Back-End Server
Maintenance Gateway
Services
and Data
49. 49
The hotel wants to look at current business
operational insights and identify the areas
need to improve as well as new business
enhancement opportunities.
50. 50
● Identify top users of the Reservations API for
giving them special offers.
● Identify new business patterns based on
API usage.
● Drill down into operational issues on APIs
● Detect abnormalities/frauds on taking
appropriate actions.
Technical Requirements