api introduction - api management workshop munich from ronnie mitra
TRANSCRIPT
API Workshop
Ronnie Mitra
Principal API Architect - Europe
Layer 7 API Academy
API Management
virtual cloud on-premise
API Academy
Mike Amundsen Ronnie Mitra
www.apiacademy.co
Business of APIs
API Styles
Usability
Security
API Architecture
SOA Governance
What are Web APIs?
Connecting things
Connecting computer programs
API
All programmers are API designers
Connections between modules
Language Dependant
APIs are constrained by the syntax of the language
… over the web
Web APIs
Language Independent
APIs are constrained by the syntax of the web
Most API Design principles can be applied
Some design principles are unique to Web APIs
Web of
Documents
Web of
Apps Web of
Services
Web of
Things
The web is ubiquitous
And universally accessible
Publishers retain control
We are surrounded by Web APIs
Did you check the weather today?
Private or Closed APIs
Acme Corp. API
Acme Corp. App
Public or Open APIs
Acme Corp. API
Third Party App
Priority: Lower Cost
Priority: Increased Adoption
Business of APIs
why build an API?
Innovation
Consumer Reach
Revenue Source
Marketing
Integration
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
Innovation
Consumer Reach
Revenue Source
Marketing
Integration
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
Revenue Source
Revenue Source
http://www.flickr.com/photos/inside-south-africa/485356704
£0.10 per API Call
Revenue Source
1000 calls/month
5000 calls/month
Revenue Source
500 calls/month
1000 calls/month
5000 calls/month
Revenue Source
Is your content worth paying for?
Innovation
Consumer Reach
Revenue Source
Marketing
Integration
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
Consumer Reach
Consumer Reach
Head
Long Tail
Consumer Reach
Innovation
Consumer Reach
Revenue Source
Marketing
Integration
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
Marketing
Affiliate Programs
Sometimes you pay the developer.
Marketing
Draw new visitors in.
Marketing
Innovation
Consumer Reach
Revenue Source
Marketing
Integration
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
Innovation
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
Innovation from within
Innovation
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
Innovation outside your borders
Innovation
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
When does innovation happen?
Innovation
Consumer Reach
Revenue Source
Marketing
Integration
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
Integration
Business driven integration
Regulatory driven integration
Observational Learning: Five Short Stories of Public APIs
2000 – ebay
Started with a paid developer program in 2000
Made it free in 2005
Consumer Reach
Marketing
Large developer eco-system Large app eco-system
25% of eBay listings come from their API!
salesforce
2000 – salesforce
Integration
Revenue Source
API as a cloud enabler
2004 – Flickr
web 2.0 generation
Consumer Reach
Marketing
The rise of self-service Announced 6 billion photos in August 2011
2006 – Amazon Web Services
Started as an online book shop… Became a department store…
now?
Jeff Bezos Connect everything
http://www.flickr.com/photos/zippy/2430495092
2004: Hey, why don’t we sell this?
Revenue Source
Estimated revenue: $1.5B in 2012
http://wikibon.org/wiki/v/Cloud_Computing_2013%3A_The_Amazon_Gorilla_Invades_the_Enterprise
Twilio or stripe
2007 - Twillio
Revenue Source
The API is the business
100,000 developer milestone in 2012
Original APIs are still successful
New business models have emerged
Different drivers have influenced API design
Summary
Why make an API Public?
Unlock new markets
External innovation
Drive revenue
“Free” development
Crowdbased asset development
Promote Mutual Gain
(Symbiosis)
http://upload.wikimedia.org/wikipedia/commons/f/ff/Aedes_albopictus_cdc.jpg
http://commons.wikimedia.org/wiki/File:Arothron_hispidus_is_being_cleaned_by_Hawaiian_cleaner_wrasses,_Labroides_phthirophagus_1.jpg
Don’t forget:
More developers = Higher Costs
Bandwidth
Technical Support
Processing and Storage
?
Documentation
Tools
Evangelists and communities
Supporting Developers
Connector designed by R Chow from The Noun Project
Notepad designed by Luis Prado from The Noun Project
API Management
To ensure failure, make your API:
• difficult to understand
• dangerous to use (unsafe)
• unreliable and unstable
• opaque (provides no visibility)
API management helps us:
• Drive adoption
• Lower costs
• Keep existing users
• Reduce friction
Innovation
Consumer Reach
Revenue Source
Marketing
Integration
Light Bulb designed by Jean-Philippe Cabaroc from The Noun Project
Without API management an API is naked.
Business of APIs Summary
• Understand the business motivation
• Choose a style that fits your constraints and goals
API Styles
What does a Web API look like?
Web APIs
HTTP
Architectural Styles
Tunnel Style
URI Style
Hypermedia Style
Event Driven Style
Tunnel Style Example: SOAP
• transport agnostic • operation based • binding documents (WSDL)
Tunnel Style
<RetrieveStudentRecords> <StudentId>1213</StudentId> </RetrieveStudentRecords>
Tunnel Style
• lots of tooling • not restricted to HTTP • RPC
Advantages
Tunnel Style
• inefficient for HTTP • increased learning curve • lack of tooling in mobile
Trade-offs
URI Style
GET PUT
POST DELETE
+ URI
URI Style
GET /students/1232
URI Style
• familiar to web developers • designed for HTTP • URIs are intuitive
Advantages
URI Style
• limited to four methods • URI design is not standard • can be ‘chatty’
Trade-offs
Hypermedia Style
Hypermedia Style
• links • templated input (forms) • task based
{ links: [ link {href: ‘…’ rel: ‘list’}, link {href: ‘…’ rel: ‘add’} ] collection: [ {link: {rel:'complete',href:‘…'},
id:42,
text:‘Record 42'
} ] }
Hypermedia Style
• designed for HTTP • long lasting • no URI construction
Advantages
Hypermedia Style
• leading-edge • requires ‘smarter’ apps • less familiar to developers
Trade-offs
Event Driven Style Example: WebSockets
• event based communication • server initiated events • full-duplex (websocket)
Event Driven Style
• less overhead • better performance
Advantages
Event Driven Style
• not HTTP-based • resource intensive connections • inefficient for request-reply
Trade-offs
API Styles Summary
• Web API != standard
• Four popular styles: Tunnel, URI, Hypermedia, Event
• Choose a style that fits your constraints and goals
Usability
Interaction Design
Usability
Human-Computer-Interaction
User Experience Design
Goal Oriented Design
A user-centric view of design.
http://www.flickr.com/photos/58754750@N08/5541472392/
Well designed products are easier to use.
Good design matters for Web APIs too.
“Frictionless” integration High rates of adoption Low cost integration
We want:
Focus on the developer experience
(dx)
Portal
API
Why is this difficult?
Reason #1
We project our own perspective.
Your code is not your API.
Your data model is not your API.
Reason #2
We project our own biases.
Never use SOAP?
Why?
Consider keyboards…
http://www.flickr.com/photos/yvettemn/139890573/
http://www.flickr.com/photos/jonathanpberger/7126054997/
http://www.flickr.com/photos/novemberborn/286773981/
It doesn’t matter that you don’t like SOAP.
What matters is what your developer base thinks!
Reason #3
We make bad assumptions.
API publishers are also developers.
Reason #4
We lack the time, money or incentive for good design
“Best practices”, patterns and standards become shortcuts
Am I RESTfull enough?
So, how can we do better?
Developer-centric design requires effort and diligence.
Is the answer an SDK?
An SDK shifts the design effort but does not resolve the usability
challenge
Design with the developer in mind.
Ask them.
• Interviews
• Surveys
• Listen (blogs, presentations, tweets)
"If I had asked people what they wanted, they would have said faster horses.“ – Henry Ford?
• Observe
• Prototype
• Historical Data
Consider all aspects of the DX:
Registration
Security
Troubleshooting
Learning
Interface Style
Registration
Lazy Registration
Social Integration
Personalization
Development Activity Cycle
1. Learn
2. Code
3. Implement
4. Test
5. Fix
Portal
API
Learn
Code
Test
API
Learn
Test
API explorers and “live documentation” can shorten the
gap between visibility and feedback.
1. Identify a Target Audience
2. Learn about the audience
3. Make API design choices that are developer-centric
4. Prototype and get feedback
5. Iterate
How?
Focus on the interactions that take place, rather than the interfaces
we expose
Great API design can thrive in a developer-centric environment
Usability Summary
• Focus on the developer
• Start by thinking in terms of interactions
• Effective for public and private APIs
Securing APIs
OWASP Top Ten (2010 Edition)
Source: http://www.owasp.org/index.php/Top_10
The primary API management challenge:
Balancing Control and Accessibility
Identity Authentication Authorization Availability Integrity Privacy
TLS OAuth 2
Open ID Connect
OAuth provides a
Delegated Authorization Framework
An imperfect analogy….
http://www.flickr.com/photos/drewleavy/5587005480
http://www.flickr.com/photos/24oranges/5791460046/
http://www.flickr.com/photos/grumbler/571106054/
http://www.flickr.com/photos/roboppy/238406811/
Your Money
This Shop Needs Your Money
You need to grant access to your money
http://www.flickr.com/photos/drewleavy/5587005480
I won’t tell.
I promise!
www.flickr.com/photos/auntiep/255249516
Granting access to someone to act
on your behalf.
Your resources
This app needs to act on your behalf
You need to grant access to your resources
Your google+ data
This app needs to access your Google+ data
You need to grant access to your resources
Hi Google.
I’d like to have access to a user’s data.
Hang on, let me ask…
He said yes. Here is your
access code.
Proprietary authorization implementations
OAuth (2007)
OWrap
OAuth 2
History of OAuth
OAuth 2 Grant Types
Grant Types:
- Authorization Code
- Implicit
- Resource Owner Password Credentials
- Client Credentials
OAuth 2 Challenges
It is a framework
OAuth 2 Challenges
New attack surfaces
Flexible, but complex for API publishers to implement
Utilizes redirection URIs (should be validated with strong rules)
Poor implementations will be exposed (see Facebook)
Not a solution to user authentication
OpenID Connect
Identity Access and Authentication (when combined with Open ID)
Built on top of OAuth 2
Not tied to any single vendor or identity provider
Open ID, Open ID Connect and OAuth 2
OAuth 2 allows an end-user to grant an application access to protected resources
However:
- The authorization server must still authenticate the end-user
- The client application is unable to determine information about the end-user
Client Application
Resource Owner Authorization Server
User Agent
Send
User
Authentication
Form
?
Authenticate
OpenID Authentication can help the server authenticate the end-user
OpenID Connect provides a mechanism for the application to learn about the end-
user
Open ID, Open ID Connect and OAuth 2
Client Application
Resource Owner Authorization Server
User Agent
Send
OpenID
Authentication
Form Authenticate
Retrieve User
Information
OpenID
Resource
Server
Security Summary
• Keep focus on usability
• Utilize standards like OAuth and TLS
• Danger in poor implementations
Designing an API Architecture
http://www.flickr.com/photos/naomi_pincher/3306312873/
Layered Pattern
Representation Layer
Component != Connector
Component
Database
File System
Message Queue
Transaction Manager
Source Code
Components Are Private
Connector
Web Server
Browser Agent
Proxy Server
Shared Cache
Connectors Are Public
Client Server Connectors
Components
The Web
The Treachery of Images - René Magritte
Representation Layer
Representation happens in the Connector
HTTP supports content negotiation
- Accept
- Content-Type
Differing clients (user-agents) === differing representations
- Desktop
- Browser
- Tablet
- Smartphone
Be prepared to support multiple representations
• Data and Interface Transformation • Focus on the interface (usability)
Representation
SOAP
Legacy
Security Layer
Security implementations are difficult:
• Mistakes are costly • Hard to understand specifications • Performance can suffer
Don’t implement security in the API Enforce security at the edge
Caching Layer
Caching Layer
Caching Layer
Caching happens EVERYWHERE
HTTP supports Expiration Model and Validation Model Caching
Expiration Model
- Expires
- Cache-Control: max-age
Validation Model
- Last-Modified
- Etag, If-Match
Be prepared to support caching for both client and server
Squid, Varnish, Nginx, MemCacheD, NSURLConnection etc.
Orchestration Layer
• Chaining multiple calls • Aggregating and enriching data • ‘mashup’ external data with internal data
Orchestration:
Gateway Pattern
Abstraction of multiple interfaces
In Software Engineering: Façade Pattern
Benefits:
- Deliver a consistent experience
- Centralize API functionality
http://martinfowler.com/eaaCatalog/gateway.html
API Gateway
Gateway
API
API
Restrict Access Improve Performance Focus on Usability
The gateway doesn’t solve all our problems
API portals
Portal
API Management
Portal
Gateway
API
API
We also apply this philosophy behind the firewall.
Architecture Summary
• Use a layered architecture
• Deploy a gateway for runtime
• Deploy a portal for developers
SOA Governance vs. API Management
Web APIs: New and Exciting!
http://www.flickr.com/photos/every1knows/4191971139
“Web APIs? I’ve been doing that for years.”
Image courtesy of http://www.flickr.com/photos/en321/3902138429/
Web APIs offer us a new perspective
http://www.flickr.com/photos/mugley/4407790613
The Modern Philosophy of the Web API:
• self service
• lower barriers and lower costs
• developer-centric
All hail the developer kings!
SOA Governance
Enforce access control Promote service usage Provide service discovery documents Provide service usage visibility
API Management
Enforce access control Promote API usage Provide API documentation Provide API usage visibility
SOA Governance
How do we make sure that these services are used properly?
API Management
How do we get people to use our API without falling over?
Controlled versus Organic
Representing organizations is useful Complexity sucks Focus on the user
What can we learn from SOA Governance?
Web APIs are acting on a planetary scale
Service
Service
Service
ESB
ISB
API
API
API
SOA Governance Summary
• Different but converging
• Developer based perspective
• Based on success
API Workshop
Ronnie Mitra
Principal API Architect - Europe
Layer 7 API Academy