API, Integration, and SOA Convergence

March 2015
API, Integration, and SOA Convergence
Software Architect
Kasun Indrasiri
WSO2 Workshop - Sydney

Agenda

๏  Why APIs?
๏  API-Management
๏  Demo – WSO2 API-M
๏  SOA, ESB and Integration
๏  API and Integration convergence - API-Façade
๏  API Security
๏  Demo – API-Façade Pattern with WSO2 ESB and
WSO2-API-M
2

3
Why APIs
๏  Desktop vs mobile users
Source : http://evaero.co/2014/06/mobile-tsunami/

4
Why APIs
๏  Over 75% of Twitter traffic comes from third-
party applications
Source : http://www.programmableweb.com/news/twitter-reveals-75-our-trafﬁc-api-3-billion-calls-day/2010/04/15

5
Why APIs
๏  eBay: we expect to take over $20bn through
mobile in 2013
๏  eBay mobile/api traffic of over 6B is primarily handled
by WSO2 ESB - http://wso2.com/library/conference/2014/10/wso2con-usa-2014-
overcoming-challenges-of-moving-esb-to-the-cloud
Source : http://techcrunch.com/2013/01/16/ebay-and-paypal-expect-to-do-20-billion-each-in-2013-mobile-commerce/

6
Apps, APIs and API-Management
๏  APIs and Apps
© 2013 IBM Corporation
pps, APIs and API Mgmt…
Business
Owner IT
Developer
Consumers
ew business opportunities
New markets
Increase customers
Enhance branding
Competitive advantage
xtend development team
ncrease innovation
ncrease scale
artner/supplier
ignment
enefits
Challenges
Business strategy
Infrastructure
• Security
• Creation
• Scalability
Operational control
• Publish
• Analyze
• Monitor
Image courtesy : : http://www.edudemic.com/10-ipad-apps-english-history/ and impact2013
APIs
App
Developers
App
Consumers

๏  Accelerate Mobile applications development
๏  Foster Internal Reuse and Share
๏  Unleash external developers Innovation
๏  Let external developers innovate around your APIs
and other APIs on the market
๏  Build new Channels and Ecosystems
๏  Create new Business Models
7
“API Economy” drivers
Source : https://appdevelopermagazine.com/1509/2014/6/1/What-You-Need-to-Know-About-APIs-to-Build-Mobile-Applications/

๏  API – a business functionality delivered over the
internet
§  Standard protocols (HTTP),well defined but loose
contract, network accessible, designed for access by third
parties.
๏  A managed API
§  Advertised and subscribable, versioned
§  SLAs, Secured and authorized
§  Monitored and monetized
8
Understanding APIs

WSO2 API Manager
•  The only complete, 100% open source API Management solution
•  A cleanly integrated system which supports API publishing,
lifecycle management, developer portal, access control and
analytics
•  Backed by High performance gateway
•  A single node supports more than 100 million requests/day
•  eBay handles 6 billions/day, a number which nearly doubles at peak season time.
•  Includes Social enablement such as ratings and comments
•  Supports single-sign on with Facebook, GoogleApps, etc.
•  Named a Strong Performer in this space by Forrester in 2014
•  Best API Design across all vendors
•  Best Solution Cost for on-premise solution
•  Extremely Satisfied customers
•  Available on-premise, as managed deployment and as SaaS
application (beta)
9

API Management in a nutshell
10
Source : https://appdevelopermagazine.com/1509/2014/6/1/What-You-Need-to-Know-About-APIs-to-Build-Mobile-Applications/

API Ecosystem Model
From SOA lessons learned, best practices roles
• API Creator
•  Designs, Implements, manages and versions API
•  Understand business and technical requirements
•  Cares about usage and scaling
•  Seeks feedback, ratings, usage
• API Publisher
•  Publishes, Promotes and encourages consumers to adopt APIs
•  Determines usage patterns and how to best monetize asset
•  Monitors and secures
• API Consumer
•  Understands the interface definition
•  Subscribes and connects application to API
•  Monitors own usage and cost basis
•  Provides feedback and ratings
11

๏  Creating and exposing a managed API
13
Demo

๏  Scalability, maintainability, troubleshooting
nightmares.
15
Point-to-point Integration

๏  Conquering integration nightmares with WSO2 ESB
16
Integration with ESB

๏  WSO2 Integration Platform
17
Integration beyond ESB
!

๏  SOA/ESB is a Success.
§  Discrete IT solutions are modeled as services
§  Accessible over the network via rigid contracts
§  Preferred way of integrating disparate systems
§  Many organization have benefitted from employing SOA
and ESB
18
Retrospect on SOA and ESB

๏  Limitations of SOA/ESB
§  Designed for internal interactions
§  Strict contracts (WSDL, XSD)
§  Complex data formats (SOAP)
§  Not designed for frequent iterations
19
Retrospect on SOA and ESB

๏  “APIs are the missing link for SOA success”
20
When APIs meet SOA

๏  API cannot replace Integration
§  Integration of internal services, systems, data and cloud
apis
๏  Cannot mangle SOA for API Management needs
๏  Using SOA and API in combination is a key success
factor of a Connected Business
21
SOA and APIs : The Close Cousins
Image courtesy http://www.soa.com/images/enterprise-api-400.jpg

๏  A simple interface to a complex system
22
API Façade Pattern
Image courtesy: http://regmedia.co.uk/2012/11/06/ipad4_2.jpg,
http://www.techautos.com/wp-content/uploads/2010/04/iPadMobo.jpg

๏  API Façade in action with WSO2 Platform
23
API Façade Pattern
!

Scalable Deployment Architecture
24

๏  API-Façade Pattern with WSO2 ESB and WSO2-API-M
26
Demo

๏  APIs might represent increased risk for the enterprise?
§  API exposes most of the core business functionalities to the external
world.
§  Effectively increases the number of potential calls and that increases
the attack surface.
๏  But API is a key success factor for a given organization
§  A well-designed API enables organizations to deliver its key business
directly to their employees, clients, partners and customers.
§  API Security must be a part of the API design
§  Rather than using the conventional security technologies, API
Security should be based on the dedicated security architecture.28
Why API Security

๏  API Security is part of a larger information security
problem.
๏  You need to take additional measures to protect your
servers and the mobiles that run your apps in addition
to the steps taken to secure your API.
๏  Your firewalls, network, cloud infrastructure, or the
mobile platform may open you up to attack if you
don’t also strive to make them as secure as your API.
๏  (We will only discuss on the API-Security techniques.)
29
API Security is a part of a holistic approach

๏  HTTP Basic/Digest Authentication
§  Accessing a protected API by sending a username and a password in
the HTTP Authorization header, along with the API invocation
request
30
API Security – Direct Authentication

๏  Mutual Authentication
§  Two way SSL/client authentication
§  Based on certificates, server authenticate to client , client to
server
31
API Security – Mutual Authentication with
TLS

๏  Both Direct and mutual auth. Only supports 2 parties
๏  What Happens if a 3rd party client/app wants to call
APIs on behalf of you?
32
API Security – How do we handle third-parties

๏  Sharing your credentials with a third-part…
33
API Security – Pre-OAuth era

Need a better approach…
• Sharing clear text password of resource owners.
•  Third-party applications are required to store the resource owner's credentials for
future use, typically a password in clear- text.
•  Servers are required to support password authentication, despite the security
weaknesses created by passwords.
• Unlimited access to all the resources
•  Third-party applications gain overly broad access to the resource owner's
protected resources, leaving resource owners without any ability to restrict
duration or access to a limited subset of resources.
• Revoking access for a given third-party
•  Resource owners cannot revoke access to an individual third- party without
revoking access to all third-parties, and must do so by changing their password.
• Compromising of any third-party would compromise all
systems
•  Compromise of any third-party application results in compromise of the end-user's
password and all of the data protected by that password.
34

35
API Security – Identity Delegation

๏  OAuth 2.0 in action - FB and twitter
36
API Security - Identity Delegation
At base, OAuth lets a person delegate constrained
access from one app to another

๏  OAuth is also not for authentication.
๏  OAuth is not used for authorization.
๏  OAuth is also not for federation.
๏  It’s for delegation, and delegation only!
37
OAuth – Is only for Delegated Access
Image credit - http://www.workpuzzle.com/peak-performance-learning-to-delegate-effectively-part-2/

๏  OpenID Connect is a modern federation specification
๏  A replacement for SAML and WS-Federation
๏  Simple identity layer on top of the OAuth 2.0
protocol.
๏  Defines a new token type – ID Token
•  Intended for clients (access and refresh tokens are opaque to the client)
•  ID Token asserts user identity
•  Based on Jason Web Token(JWT), digitally signed
•  Contains how/when the user authenticated, properties to the user
38
Identity Federation – OpenID Connect

๏  Why APIs
๏  API Management, WSO2 API Manager
๏  SOA, Integration and API Management
๏  API Security
39
Summary

6
Links

๏  Enabling a Connected Business -
http://wso2.com/landing/enabling-the-connected-business/
๏  Connected Business webinar series -
http://wso2.com/landing/connected-business-webinar-series/
๏  Convert your enterprise to a Connected Business –
http://wso2.com/whitepapers/convert-your-enterprise-to-a-
connected-business/

API, Integration, and SOA Convergence

More Related Content

What's hot

Viewers also liked

Similar to API, Integration, and SOA Convergence

More from Kasun Indrasiri

Recently uploaded

API, Integration, and SOA Convergence