Download - Best Practices for API Management
![Page 1: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/1.jpg)
Last Updated: March 2014
Director, Product Management, WSO2Isabelle Mauny
Best Prac1ces for API Management
Thursday, March 27, 14
![Page 2: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/2.jpg)
About the speaker...
๏ French na)ve
๏ Living in Spain
๏ Works mostly with Sri Lanka
๏ 18 years of IBM, 4 years in startups
๏ Managing the overall WSO2 porDolio
๏ Linux command line user
2Thursday, March 27, 14
![Page 3: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/3.jpg)
Who is WSO2 ? ๏ Open Source Middleware
Pla2orm Provider
๏ Apache 2.0 License
๏ Provides Integra?on, API Management and Mobile enterprise management products
๏ Main contributor to Apache Stratos PaaS
๏ Creators of DevOps “AppFactory” cloud solu?on
3Thursday, March 27, 14
![Page 4: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/4.jpg)
Business Model
4Thursday, March 27, 14
![Page 5: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/5.jpg)
Define a Business Model
5
๏ What are the business goals ? ๏ Enable 3rd-‐party Mobile Apps development ?
๏ Increase brand recogni)on ?
๏ Open new revenue channels ?
๏ Define Mone)za)on model ๏ Free ?
๏ Pay per usage ?
๏ Free APIs, but paid via Ads
Thursday, March 27, 14
![Page 6: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/6.jpg)
Development
6Thursday, March 27, 14
![Page 7: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/7.jpg)
๏ Service deals with implementa)on
๏ API deals with subscrip)on (consumer)
๏ Two very dis)nct life cycles !
๏ You don’t need the service to create the API...
Services and APIs
7Thursday, March 27, 14
![Page 8: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/8.jpg)
Building a Managed API
๏ Crea)ng APIs (interface, docs, samples,etc.)
๏ Adver)sing APIs
๏ Making APIs subscribe-‐able by consumers
๏ Associa)ng SLAs
๏ Securing APIs
๏ Mone)za)on and Analy)cs
8Thursday, March 27, 14
![Page 9: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/9.jpg)
API Security
9Thursday, March 27, 14
![Page 10: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/10.jpg)
API Security
๏ Security is not an aYer thought !
๏ APIs are part of a much larger enterprise picture
๏ How will consumers request an access token ? ๏ Using a SAML 2.0 asser)on ?
๏ Using client_creden)als ?
๏ Using userid/password ?
๏ Make sure you document thoroughly how developers need to manage tokens:
๏ Tokens are like passwords!
๏ Always use SSL for token transporta)on !
๏ Use Domain restric)ons (WSO2 API Manager)10
Thursday, March 27, 14
![Page 11: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/11.jpg)
Fine-‐grained access to APIs
๏ OAuth2 is all about access control: a token is associated to a scope.
๏ XACML (eXtensible Access Control Markup Language) is the de-‐facto standard for fine-‐grained access control.
๏ OAuth scope can be represented in XACML policies
๏ Provides fine grain control over what a user/applica?on can do ( i.e. you can call GET but not POST on an API)
11Thursday, March 27, 14
![Page 12: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/12.jpg)
Passing Auth Informa6on to back-‐end services
๏ Using JSON Web Tokens (JWT) ๏ Lightweight
๏ Can be signed
๏ Easy to parse and consume
๏ Standard
API Gateway
API Management Layer
Services LayerInternal and External Applications
OAuth 2 Access Token
JSON Web Token
12Thursday, March 27, 14
![Page 13: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/13.jpg)
Token Format
๏ JWT Structure {token info}.{claims list}.{signature}
๏ Base-‐64 Encoded
13Thursday, March 27, 14
![Page 14: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/14.jpg)
What are Claims ?
๏ Claims are a set of aTributes about a user, mapped to the underlying user store.
๏ A set of claims is called a dialect
14Thursday, March 27, 14
![Page 15: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/15.jpg)
Publishing
15Thursday, March 27, 14
![Page 16: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/16.jpg)
Choosing an API Management Pla=orm
16
๏ What the pla2orm must do, at a minimum:๏ Users Management (self-‐sign up, profile management)
๏ API Publica?on / API Store
๏ API Security
๏ Sta?s?cs
๏ SLA control
๏ ThroTling / Rate Limi?ng
๏ API Versioning
๏ Mone?za?on/Billing
๏ and more !
๏ You could build all of this yourself, but...
Thursday, March 27, 14
![Page 17: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/17.jpg)
Need for API Versioning
๏ Need to support API evolu)on
๏ While Maintaining๏ Backward compa)bility -‐> Func)onality
๏ Rates/Throhling agreements
๏ Different versioning mechanisms
17Thursday, March 27, 14
![Page 18: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/18.jpg)
API Versioning Strategies
๏ Version as a query parameter๏ Ne=lix -‐ hTp://api.ne2lix.com/catalog/?tles/series/70023522?v=1.5
๏ Google Data API -‐ “GData-‐Version: X.0″₺ or “v=X.0″₺
๏ Version as part of URI๏ Salesforce -‐ hTps://na1.salesforce.com/services/data/v20.0/sobjects/Account/
๏ TwiDer -‐ hTps://api.twiTer.com/1.1/statuses/men?ons_?meline.json
๏ Version as a date in URI๏ Twilio -‐ /2010-‐04-‐01/Accounts/{AccountSid}/Calls
๏ hTp://www.twilio.com/docs/api/rest/making-‐calls
๏ Version as a ๏ Custom HTTP Header
๏ Accept Header
18Thursday, March 27, 14
![Page 19: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/19.jpg)
API Lifecycle
๏ An API can pass through mul)ple states
๏ For example:๏ CREATED
๏ PUBLISHED
๏ DEPRECATED
๏ RETIRED
๏ BLOCKED
๏ Should integrate with complete governance lifecycle
19Thursday, March 27, 14
![Page 20: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/20.jpg)
Show some developer’s love :)
20
๏ Docs , docs and more docs
๏ API Samples, in many languages
๏ Embedded Tes)ng
๏ Provide sandbox and produc)on run)mes
๏ SDK ๏ Wraps API access, including security
Thursday, March 27, 14
![Page 21: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/21.jpg)
Deployment
21Thursday, March 27, 14
![Page 22: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/22.jpg)
Gateway vs. ESB
22
๏ Oh, but I already have an ESB ! Why do I need a gateway ?
๏ API Gateway vs. Media)on Layer (ESB)๏ Gateway = light ESB ?
๏ Think ESB as an architecture pahern, not a product!
Thursday, March 27, 14
![Page 23: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/23.jpg)
Generic Facade PaZern
๏ Pros๏ No addi)onal hop in the network
๏ Single Server to be managed
๏ More suited for internal deployments
๏ Cons๏ Complexity of integra)on at edge of network
๏ API Management layer can’t really scale independently
๏ Not appropriate for DMZ deployments (direct access to backend services)
23
API Gateway
API Management Layer
Services Layer
Internal and External Applications
Thursday, March 27, 14
![Page 24: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/24.jpg)
Separated Facade & Media\on
๏ API Gateway Layer acts as simple reverse proxy, enforcing basic policies
๏ Clear separa?on of concern between layers
๏ Media?on layer and API management layer scale independently
๏ Specific security checks/protec?on at edge of the network
๏ Provides protocol transforma?on to the edge of the network
24
API Gateway
API Management Layer
Services Layer
Internal and External Applications
API Gateway
API Management Layer
Services LayerMediationLayer
Services Composition
Services Orchestration
Thursday, March 27, 14
![Page 25: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/25.jpg)
Specific WSO2 Solu\on
๏ Our API gateway is actually a full-‐blown ESB under the hood, constrained at UI level.
๏ You can install the missing ESB features on top of API manager and combine both architecture layers into a single run)me!
๏ Makes the choice a deployment one.
25Thursday, March 27, 14
![Page 26: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/26.jpg)
Typical Deployment
26
Web Tier
BPSServer
API GatewayLoad balancer
API Gateway
External APIs Tier Orchestration Layer
External Web Application
External Mobile Application
Token Validation, Policy Decision Point, Users Store Management
ESBServer
Data Access Layer
ESB
BPM
Data Services Server
Identity Server
Messaging Layer
Message BrokerServer
API Gateway
Load balancer
API Gateway
Internal APIs TierIdentity Server
Thursday, March 27, 14
![Page 27: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/27.jpg)
Users Store
๏ Separate admins / corporate users from the developers users’s store (created via self-‐sign up)
27Thursday, March 27, 14
![Page 28: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/28.jpg)
You can’t manage what you can’t measure.
28Thursday, March 27, 14
![Page 29: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/29.jpg)
Why Analy6cs and API Management are important together?
๏ Build confidence in the API model
๏ Understand your customer ๏ Not just the developer but also the end-‐user
๏ Help manage services and versions๏ Understand when deprecated services can be re?red
๏ Plan beTer๏ Monitor the growth of aggregated API traffic
๏ Monitor the growth of specific apps
๏ Even if you’re not going to put analy?cs in place, make sure you capture all events right from beginning of project.
29Thursday, March 27, 14
![Page 30: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/30.jpg)
Analy\cs 101: Aggrega\on
• How to collect data efficiently
• How to store data effec)vely
• Choose which data to capture
30Thursday, March 27, 14
![Page 31: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/31.jpg)
Analy\cs 101 : Analysis• Data opera)ons
• Defining KPIs and analy)cs
• Opera)ng on large amounts of historical or current data
• Crea)ng intelligence
31Thursday, March 27, 14
![Page 32: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/32.jpg)
Analy\cs 101 : Presenta\on
• Visualiza)on
• Dashboards
• Reports
32Thursday, March 27, 14
![Page 33: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/33.jpg)
Events Collector
EVENTSDATASTORE
3rd party Products
WRITES EVENTS
Report Generator
CEP Engine
FEEDS EVENTS
GENERATE NEW EVENTS
Analytics Engine
Real Time Decision Engine
DEPLOYS LOGIC
ANALYTICSDATASTORE
User Engagement Server
33
Monitor And Analyze๏ Take decisions in real ?me through Complex Event Processing๏ Create dashboards for both technical and business monitoring
Thursday, March 27, 14
![Page 34: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/34.jpg)
Detec\ng Usage PaZerns
๏ My API customer is trying to steal my business : let’s block them.
๏ A customer is at 80% of API plan : let’s warn them
๏ A customer is systema)cally at 120% of the plan : propose an upgrade to the premium plan
34Thursday, March 27, 14
![Page 35: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/35.jpg)
Demo
35Thursday, March 27, 14
![Page 36: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/36.jpg)
Demo Setup
36
Web Tier
API Gateway
APIs tier Mediation Layer
External Web Application
Token Validation, Policy Decision Point, IdentityProvider, Users Store Manager
ESBServer
Services Layer
ESBApplication
Server
Messaging Layer
Message BrokerServer
Identity Server
Reporting, Logging, Operational Analysis
BAM CEP
Thursday, March 27, 14
![Page 37: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/37.jpg)
References๏ Building an ecosystem for API Security (White Paper)
๏ hhp://wso2.com/whitepapers/wso2-‐whitepaper-‐building-‐an-‐ecosystem-‐for-‐api-‐security/
๏ API Facade Pahern (Webinar)๏ hhp://wso2.com/library/webinars/2014/01/implemen)ng-‐api-‐facade-‐using-‐
wso2-‐api-‐management-‐plaDorm/
๏ API Management: missing link for SOA ๏ hhp://sanjiva.weerawarana.org/2012/08/api-‐management-‐missing-‐link-‐for-‐
soa.html
๏ Promo)ng Service Reuse ๏ hhp://wso2.com/whitepapers/promo)ng-‐service-‐reuse-‐within-‐your-‐enterprise-‐
and-‐maximizing-‐soa-‐success/
37Thursday, March 27, 14
![Page 38: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/38.jpg)
Download API Manager today!
๏ hhp://wso2.com/products/api-‐manager/
38Thursday, March 27, 14
![Page 39: Best Practices for API Management](https://reader033.vdocuments.mx/reader033/viewer/2022051514/54bbf8d64a795973568b456c/html5/thumbnails/39.jpg)
Contact us !
Thursday, March 27, 14