• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
WSO2Con US 2013 - Advanced API Management Tactics

WSO2Con US 2013 - Advanced API Management Tactics






Total Views
Views on SlideShare
Embed Views



1 Embed 53

http://wso2.com 53


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    WSO2Con US 2013 - Advanced API Management Tactics WSO2Con US 2013 - Advanced API Management Tactics Presentation Transcript

    • Advanced API Management Tactics Isabelle Mauny isabelle@wso2.com Director of Product Management
    • Use Cases • How to pass authentication information to back-end services ? • How to enrich request/response flows ? • How to react in real-time to API events patterns? • How to extend the authorization of users leveraging WSO2 Identity Server ?
    • Passing Auth Information to back-end services • Using JSON Web Tokens (JWT) ‣ Lightweight ‣ Can be signed ‣ Easy to parse and consume ‣ Standard
    • Token Format • JWT Structure {token info}.{claims list}.{signature} • Base-64 Encoded
    • What are Claims ? • Claims are a set of attributes about a user, mapped to the underlying user store. • A set of claims is called a dialect • Default dialect is: http://wso2.org/claims.
    • Managing Claims • Default behavior is that all non-null claims will be added to the JWT. "http://wso2.org/claims/emailaddress":"isabelle@wso2.com", "http://wso2.org/claims/fullname":"Isabelle Mauny", "http://wso2.org/claims/givenname":"Isabelle", "http://wso2.org/claims/lastname":"Mauny", "http://wso2.org/claims/primaryChallengeQuestion":"Product Manager", "http://wso2.org/claims/role":"apisubscribers,Internal/identity,Internal/everyone", "http://wso2.org/claims/title":"Product Manager"} • If you want to override this behavior, you need to create your own ClaimsRetrieverClass. • You can also use another dialect ‣ Reuse existing ‣ Create your own
    • JWT Basic Configuration • Part of <APIConsumerAuthentication> node • Following settings must be set/uncommented in the api-manager.xml file: ‣ <EnableTokenGeneration>true</EnableTokenGeneration> ‣ Token Header name <SecurityContextHeader> X-JWT-Assertion </SecurityContextHeader> ‣ Signature Algorithm <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm> ‣ Claims Management <ClaimsRetrieverImplClass> org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever </ClaimsRetrieverImplClass> ‣ Claims Dialect <ConsumerDialectURI> http://wso2.org/claims </ConsumerDialectURI>
    • Enriching API Gateway Flows • Available as of version 1.5 (in the UI) • Allows you to use the full power of the mediation engine (from WSO2 ESB) in the API Gateway
    • Sequences Development/Publishing
    • API Publisher UI • Expand the “More Options” section under Endpoints block • Select Sequence for IN/OUT flows
    • Reacting on API Calls events
    • Using Complex Event Processing • Following example sends an email each time an API is called 5 times within 1 minute.
    • Extending Authorization • Leverage Entitlements (XACML) of the underlying WSO2 Identity Server • Can Install Entitlements Features inside APIM 1.5 or use external Identity Server
    • Policies Administration
    • Enforcing the Policy • Use the Entitlement mediator as part of a custom mediation flow
    • Additional Features (1.5) • Publish to Sandbox only • Use separate gateways for production and sandbox calls ‣ Lets you scale them separately • Allow an API to be advertised into multiple stores.
    • Thank You !