Post on 14-Apr-2017
Introducing all new RESTFul API for API Management
Joseph Fonseka Senior Technical Lead
joseph@wso2.com
Malintha Amarasinghe Software Engineer
malinthaa@wso2.com
Introduction
API Manager 1.10.0 ships with a new REST API for Store and Publisher.
o Current version is 0.9v
Existing APIs
o Not RESTFul
o API interface was not intuitive.
o Did not had a well defined interface. o Secured with a session based login API.
o Need to hard code user credentials.
o You are unable to delegate access.
Example curl -b cookies http://localhost:9763/publisher/site/blocks/listing/ajax/item-list.jag?action=getAllAPIs
New RESTFul API
o Follows RESTFul principles and have a clearly documented API Definition.
o Secured using OAuth.
Richardson Maturity Model
API Definition
o We took designed first approach when developing the API.
o API Definition is documented with Swagger 2.0
API Security with OAuth
o Allows you to delegate access to other applications.
o Use API Manager token endpoint to generate tokens.
o Support all the grant types supported by APIM.
o User is picked up from the token.
API Security with OAuth
API Publisher
Token Validation
API Store
Key Manager
OAuth
Application
Token Validation
API Request
API Request
IdP
o We implemented web APIs as Jax-Rs services.
o You can access the APIs using following
contexts. o https://<host>:<port>/api/am/publisher/v0.9
o https://<host>:<port>/api/am/store/v0.9
o The Jax-Rs Applications can be found in. o <AM-HOME>/repository/deployment/server/webapps/
- api#am#publisher#v0.9.war
- api#am#store#v0.9.war
Implementation
Validation
o Bean validation 1.1
o Generates a response with a list of violations
and sends back to the client
o Plug-in custom validation implementation based
on CXF Interceptor
Validation
{ "name": "calc1", "context": "/calc1", "version": "1.0.0" }
POST /api/am/publisher/v0.9//apis Authorization: Bearer <token>
{ "moreInfo": "", "code": 400, "description": "Validation Error", "message": "Bad Request", "error": [ { "code": "400_apiDefinition", "message": "apiDefinition: may not be null" }, { "code": "400_endpointConfig", "message": "endpointConfig: may not be null" }, { "code": "400_visibility", "message": "visibility: may not be null" }, ...
HTTP/1.1 400 Bad Request
Incomplete Request: Response:
Access Control and Security
o By default use OAuth for Authorization &
Authentication.
o Resources are secured with OAuth2 Scopes
o Support pluggable security mechanism o Ex. XACML over Basic authentication
GET /apis apim:api_view
POST /apis apim:api_create
POST /apis/change-lifecycle apim:api_publish
Multitenancy
o Tenant is typically extracted from the user
information of the access token
o Store anonymous resources supports a special
header o X-WSO2-Tenant: wso2.com
../store/v0.9/apis/*
../store/v0.9/tiers/*
../store/v0.9/tags
Versioning
o We follow semantic versioning MAJOR.MINOR.PATCH
o We will be committed to retain backward
compatibility for at least one major version.
Road Map
o We have planed to release v1.0.0 in the next APIM release.
o Rewrite Store and Publisher apps to use REST API.
o Add support for Optimistic Concurrency Control and Caching Headers.
o Support for Workflows & long running processes. o …..
Documentation
o Generated from swagger definitions can be found at following locations.
o Publisher Documentation https://docs.wso2.com/display/AM1100/apidocs/publisher/
o Store Documentation https://docs.wso2.com/display/AM1100/apidocs/store/