WSO2Con US 2013 - Advanced API Management TacticsPresentation Transcript
API Management Tactics
Director of Product Management
• How to pass authentication information to
back-end services ?
• How to enrich request/response flows ?
• How to react in real-time to API events
• How to extend the authorization of users
leveraging WSO2 Identity Server ?
Passing Auth Information to back-end
• Using JSON Web
‣ Can be signed
‣ Easy to parse and
What are Claims ?
• Claims are a set of attributes
about a user, mapped to the
underlying user store.
• A set of claims is called a
• Default dialect is:
• Default behavior is that all non-null claims will be added
to the JWT.
• If you want to override this behavior, you need to
create your own ClaimsRetrieverClass.
• You can also use another dialect
‣ Reuse existing
‣ Create your own
JWT Basic Configuration
• Part of <APIConsumerAuthentication> node
• Following settings must be set/uncommented in the api-manager.xml file:
‣ Token Header name
‣ Signature Algorithm
‣ Claims Management
‣ Claims Dialect
Enriching API Gateway Flows
• Available as of version 1.5 (in the UI)
• Allows you to use the full power of the
mediation engine (from WSO2 ESB) in the
API Publisher UI
• Expand the “More Options” section under
• Select Sequence for IN/OUT flows
Reacting on API Calls events
Using Complex Event
• Following example sends an email each time
an API is called 5 times within 1 minute.
• Leverage Entitlements (XACML) of the
underlying WSO2 Identity Server
• Can Install Entitlements Features inside
APIM 1.5 or use external Identity Server
Enforcing the Policy
• Use the Entitlement mediator as part of a
custom mediation flow
Additional Features (1.5)
• Publish to Sandbox only
• Use separate gateways for production and
‣ Lets you scale them separately
• Allow an API to be advertised into multiple