WSO2Con US 2013 - Advanced API Management Tactics

799 views

Published on

Published in: Technology, Economy & Finance
  • Be the first to comment

WSO2Con US 2013 - Advanced API Management Tactics

  1. 1. Advanced API Management Tactics Isabelle Mauny isabelle@wso2.com Director of Product Management
  2. 2. Use Cases • How to pass authentication information to back-end services ? • How to enrich request/response flows ? • How to react in real-time to API events patterns? • How to extend the authorization of users leveraging WSO2 Identity Server ?
  3. 3. Passing Auth Information to back-end services • Using JSON Web Tokens (JWT) ‣ Lightweight ‣ Can be signed ‣ Easy to parse and consume ‣ Standard
  4. 4. Token Format • JWT Structure {token info}.{claims list}.{signature} • Base-64 Encoded
  5. 5. What are Claims ? • Claims are a set of attributes about a user, mapped to the underlying user store. • A set of claims is called a dialect • Default dialect is: http://wso2.org/claims.
  6. 6. Managing Claims • Default behavior is that all non-null claims will be added to the JWT. "http://wso2.org/claims/emailaddress":"isabelle@wso2.com", "http://wso2.org/claims/fullname":"Isabelle Mauny", "http://wso2.org/claims/givenname":"Isabelle", "http://wso2.org/claims/lastname":"Mauny", "http://wso2.org/claims/primaryChallengeQuestion":"Product Manager", "http://wso2.org/claims/role":"apisubscribers,Internal/identity,Internal/everyone", "http://wso2.org/claims/title":"Product Manager"} • If you want to override this behavior, you need to create your own ClaimsRetrieverClass. • You can also use another dialect ‣ Reuse existing ‣ Create your own
  7. 7. JWT Basic Configuration • Part of <APIConsumerAuthentication> node • Following settings must be set/uncommented in the api-manager.xml file: ‣ <EnableTokenGeneration>true</EnableTokenGeneration> ‣ Token Header name <SecurityContextHeader> X-JWT-Assertion </SecurityContextHeader> ‣ Signature Algorithm <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm> ‣ Claims Management <ClaimsRetrieverImplClass> org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever </ClaimsRetrieverImplClass> ‣ Claims Dialect <ConsumerDialectURI> http://wso2.org/claims </ConsumerDialectURI>
  8. 8. Enriching API Gateway Flows • Available as of version 1.5 (in the UI) • Allows you to use the full power of the mediation engine (from WSO2 ESB) in the API Gateway
  9. 9. Sequences Development/Publishing
  10. 10. API Publisher UI • Expand the “More Options” section under Endpoints block • Select Sequence for IN/OUT flows
  11. 11. Reacting on API Calls events
  12. 12. Using Complex Event Processing • Following example sends an email each time an API is called 5 times within 1 minute.
  13. 13. Extending Authorization • Leverage Entitlements (XACML) of the underlying WSO2 Identity Server • Can Install Entitlements Features inside APIM 1.5 or use external Identity Server
  14. 14. Policies Administration
  15. 15. Enforcing the Policy • Use the Entitlement mediator as part of a custom mediation flow
  16. 16. Additional Features (1.5) • Publish to Sandbox only • Use separate gateways for production and sandbox calls ‣ Lets you scale them separately • Allow an API to be advertised into multiple stores.
  17. 17. Thank You !

×