Until now, the OpenAPI Specification has been primarily used as design tool; a way to document and test your API before shipping. What if we could bring them to the next level to start driving some of your production software, such as an API Gateway? In this talk, we will explore the necessary conditions to expand and improve your OpenAPI specification to accommodate new use cases, such as driving some of an API Gateway options. Using practical examples, we will discuss the future of the OpenAPI specifications while highlighting specific features that need improvement.
4. StoplightMonday, May 20, 2019 @d3dvincent 2
Agenda
• Where are we at with OpenAPI
• Current usages and tools
5. StoplightMonday, May 20, 2019 @d3dvincent 2
Agenda
• Where are we at with OpenAPI
• Current usages and tools
• What’s up with OpenAPI at runtime
6. StoplightMonday, May 20, 2019 @d3dvincent 2
Agenda
• Where are we at with OpenAPI
• Current usages and tools
• What’s up with OpenAPI at runtime
• Use cases
7. StoplightMonday, May 20, 2019 @d3dvincent 2
Agenda
• Where are we at with OpenAPI
• Current usages and tools
• What’s up with OpenAPI at runtime
• Use cases
• API Gateway support
8. StoplightMonday, May 20, 2019 @d3dvincent 2
Agenda
• Where are we at with OpenAPI
• Current usages and tools
• What’s up with OpenAPI at runtime
• Use cases
• API Gateway support
• What can we do better
9. StoplightMonday, May 20, 2019 @d3dvincent 2
Agenda
• Where are we at with OpenAPI
• Current usages and tools
• What’s up with OpenAPI at runtime
• Use cases
• API Gateway support
• What can we do better
• Live demo
10. StoplightMonday, May 20, 2019 @d3dvincent 2
Agenda
• Where are we at with OpenAPI
• Current usages and tools
• What’s up with OpenAPI at runtime
• Use cases
• API Gateway support
• What can we do better
• Live demo
• Takeaways and questions
19. StoplightMonday, May 20, 2019 @d3dvincent
OpenAPI
4
The OpenAPI Specification (OAS) defines a standard,
programming language-agnostic interface description
for REST APIs, which allows both humans and
computers to discover and understand the capabilities
of a service
20. StoplightMonday, May 20, 2019 @d3dvincent
OpenAPI
4
The OpenAPI Specification (OAS) defines a standard,
programming language-agnostic interface description
for REST APIs, which allows both humans and
computers to discover and understand the capabilities
of a service
Use cases for machine-readable API definition
documents include, but are not limited to: interactive
documentation; code generation for documentation,
clients, and servers; and automation of test cases.
21. StoplightMonday, May 20, 2019 @d3dvincent
OpenAPI
4
The OpenAPI Specification (OAS) defines a standard,
programming language-agnostic interface description
for REST APIs, which allows both humans and
computers to discover and understand the capabilities
of a service
Use cases for machine-readable API definition
documents include, but are not limited to: interactive
documentation; code generation for documentation,
clients, and servers; and automation of test cases.
— OpenAPI Official Repository
46. StoplightMonday, May 20, 2019 @d3dvincent 8
Linting
• Open Source Linting Engine
• Based on https://speccy.io
47. StoplightMonday, May 20, 2019 @d3dvincent 8
Linting
• Open Source Linting Engine
• Based on https://speccy.io
• https://github.com/stoplightio/spectral
59. StoplightMonday, May 20, 2019 @d3dvincent 11
OpenAPI in your runtime: today
• API Monitoring
• API Usage Statistics
60. StoplightMonday, May 20, 2019 @d3dvincent 11
OpenAPI in your runtime: today
• API Monitoring
• API Usage Statistics
• API Analysis and feedback collection
62. StoplightMonday, May 20, 2019 @d3dvincent 12
OpenAPI as a source for verification
client.pets.list()
63. StoplightMonday, May 20, 2019 @d3dvincent 12
OpenAPI as a source for verification
client.pets.list()
GET /api/pets
HOST: petstore.com
Accept: application/json
64. StoplightMonday, May 20, 2019 @d3dvincent 12
OpenAPI as a source for verification
client.pets.list()
GET /api/pets
HOST: petstore.com
Accept: application/json
• Most used endpoints
65. StoplightMonday, May 20, 2019 @d3dvincent 12
OpenAPI as a source for verification
client.pets.list()
GET /api/pets
HOST: petstore.com
Accept: application/json
• Most used endpoints
• Most failing endpoints
66. StoplightMonday, May 20, 2019 @d3dvincent 12
OpenAPI as a source for verification
client.pets.list()
GET /api/pets
HOST: petstore.com
Accept: application/json
• Most used endpoints
• Most failing endpoints
• Most common scenarios
69. StoplightMonday, May 20, 2019 @d3dvincent 13
…what about ops?
🤔
• Safely rollout a new API Section
70. StoplightMonday, May 20, 2019 @d3dvincent 13
…what about ops?
🤔
• Safely rollout a new API Section
• Set an API Section as deprecated
71. StoplightMonday, May 20, 2019 @d3dvincent 13
…what about ops?
🤔
• Safely rollout a new API Section
• Set an API Section as deprecated
• Changes in security requirements
72. StoplightMonday, May 20, 2019 @d3dvincent 13
…what about ops?
🤔
• Safely rollout a new API Section
• Set an API Section as deprecated
• Changes in security requirements
• Changes in validation rules
73. StoplightMonday, May 20, 2019 @d3dvincent 13
…what about ops?
🤔
• Safely rollout a new API Section
• Set an API Section as deprecated
• Changes in security requirements
• Changes in validation rules
• Redirects
74. StoplightMonday, May 20, 2019 @d3dvincent 13
…what about ops?
• Safely rollout a new API Section
• Set an API Section as deprecated
• Changes in security requirements
• Changes in validation rules
• Redirects
😫
77. StoplightMonday, May 20, 2019 @d3dvincent 14
API Gateway
• Limited configuration surface
• Almost 1:1 match with OpenAPI description file
78. StoplightMonday, May 20, 2019 @d3dvincent 14
API Gateway
• Limited configuration surface
• Almost 1:1 match with OpenAPI description file
• (some) solutions can be declaratively configured
81. StoplightMonday, May 20, 2019 @d3dvincent 15
AWS API Gateway
• OpenAPI 2 support
• OpenAPI 3 support
82. StoplightMonday, May 20, 2019 @d3dvincent 15
AWS API Gateway
• OpenAPI 2 support
• OpenAPI 3 support
• Proprietary extensions
83. StoplightMonday, May 20, 2019 @d3dvincent 15
AWS API Gateway
• OpenAPI 2 support
• OpenAPI 3 support
• Proprietary extensions
• Document Upload API
84. StoplightMonday, May 20, 2019 @d3dvincent 15
AWS API Gateway
• OpenAPI 2 support
• OpenAPI 3 support
• Proprietary extensions
• Document Upload API
• Merge feature
87. StoplightMonday, May 20, 2019 @d3dvincent 16
Apigee Edge
• OpenAPI 2.0 support
• OpenAPI 3.0 support
88. StoplightMonday, May 20, 2019 @d3dvincent 16
Apigee Edge
• OpenAPI 2.0 support
• OpenAPI 3.0 support
• No documented extensions
89. StoplightMonday, May 20, 2019 @d3dvincent 16
Apigee Edge
• OpenAPI 2.0 support
• OpenAPI 3.0 support
• No documented extensions
• Project Upload API
92. StoplightMonday, May 20, 2019 @d3dvincent 17
Microsoft API Management
• OpenAPI 2.0 support
• OpenAPI 3.0 support
93. StoplightMonday, May 20, 2019 @d3dvincent 17
Microsoft API Management
• OpenAPI 2.0 support
• OpenAPI 3.0 support
• Few, not super important, extensions
94. StoplightMonday, May 20, 2019 @d3dvincent 17
Microsoft API Management
• OpenAPI 2.0 support
• OpenAPI 3.0 support
• Few, not super important, extensions
• Project Upload API
104. StoplightMonday, May 20, 2019 @d3dvincent 21
Takeaways and open questions
• OpenAPI aren’t a first class citizens for Open Source API Gateways
105. StoplightMonday, May 20, 2019 @d3dvincent 21
Takeaways and open questions
• OpenAPI aren’t a first class citizens for Open Source API Gateways
• They just do not care of its support
106. StoplightMonday, May 20, 2019 @d3dvincent 21
Takeaways and open questions
• OpenAPI aren’t a first class citizens for Open Source API Gateways
• They just do not care of its support
• Not the right tool for the job
107. StoplightMonday, May 20, 2019 @d3dvincent 21
Takeaways and open questions
• OpenAPI aren’t a first class citizens for Open Source API Gateways
• They just do not care of its support
• Not the right tool for the job
• OpenAPI documents alone aren’t enough to describe all the aspects of an API
108. StoplightMonday, May 20, 2019 @d3dvincent 21
Takeaways and open questions
• OpenAPI aren’t a first class citizens for Open Source API Gateways
• They just do not care of its support
• Not the right tool for the job
• OpenAPI documents alone aren’t enough to describe all the aspects of an API
• OpenAPI specifications need to be expanded
110. StoplightMonday, May 20, 2019 @d3dvincent 22
The rules (to make it happen)
• Use an API Gateway
111. StoplightMonday, May 20, 2019 @d3dvincent 22
The rules (to make it happen)
• Use an API Gateway
• Put as much as you can on it (security, rate limiting, payload validation)
112. StoplightMonday, May 20, 2019 @d3dvincent 22
The rules (to make it happen)
• Use an API Gateway
• Put as much as you can on it (security, rate limiting, payload validation)
• You do not need micro services to use an API Gateway
113. StoplightMonday, May 20, 2019 @d3dvincent 22
The rules (to make it happen)
• Use an API Gateway
• Put as much as you can on it (security, rate limiting, payload validation)
• You do not need micro services to use an API Gateway
• Make sure what exposes matches what’s declared in the OpenAPI spec file
114. StoplightMonday, May 20, 2019 @d3dvincent 22
The rules (to make it happen)
• Use an API Gateway
• Put as much as you can on it (security, rate limiting, payload validation)
• You do not need micro services to use an API Gateway
• Make sure what exposes matches what’s declared in the OpenAPI spec file
• Prefer a solution that is declarative
115. StoplightMonday, May 20, 2019 @d3dvincent 22
The rules (to make it happen)
• Use an API Gateway
• Put as much as you can on it (security, rate limiting, payload validation)
• You do not need micro services to use an API Gateway
• Make sure what exposes matches what’s declared in the OpenAPI spec file
• Prefer a solution that is declarative
• It’s going to be easier to write automation scripts
116. StoplightMonday, May 20, 2019 @d3dvincent 22
The rules (to make it happen)
• Use an API Gateway
• Put as much as you can on it (security, rate limiting, payload validation)
• You do not need micro services to use an API Gateway
• Make sure what exposes matches what’s declared in the OpenAPI spec file
• Prefer a solution that is declarative
• It’s going to be easier to write automation scripts
• Refrain from using custom extension
117. StoplightMonday, May 20, 2019 @d3dvincent 22
The rules (to make it happen)
• Use an API Gateway
• Put as much as you can on it (security, rate limiting, payload validation)
• You do not need micro services to use an API Gateway
• Make sure what exposes matches what’s declared in the OpenAPI spec file
• Prefer a solution that is declarative
• It’s going to be easier to write automation scripts
• Refrain from using custom extension
• It will complicate the things the day these automations will be the standard for all the
solutions