29 Oct, 2019

What’s New in WSO2 API Manager Version 3.0?

  • Nuwan Dias
  • VP and Deputy CTO - WSO2

An Introduction to WSO2 API Manager

WSO2 API Manager is a fully open-source, full lifecycle API management product that can be deployed on-prem, is available on SaaS, deployed on a private cloud, or deployed in a hybrid model. It comprises the following components.

  • API Designer and Publisher — These enable API creators to design, implement, and document APIs and allow API product managers to manage API lifecycles and create API products by using one or more APIs.
  • Developer Portal — A portal for onboarding application creators. It allows application creators to discover, subscribe, test, and consume APIs through their applications.
  • API Gateway — This provides access to APIs/services by routing application traffic to the relevant endpoints. The API Gateway enforces security, rate-limiting, and transformations on API requests while feeding valuable information from these requests to API Analytics.
  • Microgateway — A cloud-native, lightweight version of the API Gateway that is purpose-designed to operate efficiently in microservices environments. The microgateway is well suited for heavily distributed and dynamic environments, where capacity demands on the system vary from time to time.
  • Key Manager — This is API Manager’s security token service; it handles everything related to authenticating and authorizing API requests. The Key Manager supports a wide variety of security protocols, such as OAuth2.0/OIDC, Basic Auth, API Key, and SAML-based single-sign-on.
  • Traffic Manager — This controls the API gateway’s traffic flow. It is used to apply request quotas on APIs for monetization, access control, or security-related matters. In addition to configuring the available policies, users can deploy their own policies on the traffic manager, which will control the rate of traffic on the API gateways.
  • API Analytics — This monitors all traffic routed through the API gateways to analyze usage patterns, SLA violations, and consumer behaviors to provide business insights and so on.

What’s New in Version 3.0?

The latest version comes with a list of new major capabilities that significantly enhance and improve the user experience and workflows. Let’s take a look at some of the new capabilities.

Enhanced User Experience

Re-skinned Portals

API Manager’s API publishing portal and developer portal have been given a fresh look and feel while significantly improving the user experience. The new portals have been built in ReactJS, which is a popular JavaScript library for building user interfaces. The portals follow a Single Page Application (SPA) architecture. They are built as OAuth2.0 client applications, which authenticate to API Manager’s backend via Open ID Connect. The new UI brings much better organization to the data presented in the portals, and it also makes the workflows of API creators, product managers, and application developers simpler and more efficient. Users interested in customizing the portals for personalized styling can now do it much more easily than before, with the enhanced styling capabilities backed up by the material-ui design and the large community of developers using ReactJS. The following two images provide a glimpse of the new portals.

Figure 1: API Publisher Portal, an overview of an API

Figure 2: Developer Portal - an overview of an API

New Configuration Model

This will appeal to on-premises users of API Manager. With version 3.0, we introduce a new configuration model based on the toml format. More importantly, this is the only configuration file required to configure and tune the various features in API Manager. In older versions of the product, users had to modify different configuration files depending on the components related to the specific feature they were configuring. With this release, all the configuration files have been merged into one. Here is a glimpse of what the default configuration file looks like.

hostname = "localhost"
node_ip = ""
mode = "single" #single or ha
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}"
#discard_empty_caches = false
server_role = "default"

Productization of APIs and Monetization

Version 3.0 of API Manager introduces the capability to create products that can combine resources (operations) of one or more APIs into what we call ‘API Products’. It also includes significant enhancements to the monetization capabilities of its APIs by making it possible to integrate the API management system with any billing and payment system such as Stripe.

API Products

API Products are made by combining the resources of one or more related APIs. These allow API product managers to creatively use the functionality of APIs to create new business products with different business plans for different audiences. A product manager may choose to offer the read-only operations of an API for free through a given product. And, at the same time, offer a monetized product that also includes the same API’s write operations. This gives product managers the flexibility to reuse the same API, in its same technical capacity, and offer it over different plans for different interest groups. The same capability can be used to combine resources of multiple APIs and offer as these as individual API products. The following image shows how resources of multiple APIs can be grouped into creating an API product.

Figure 3: Grouping API resources to create an API product

API Monetization

WSO2 API Manager 3.0 provides monetization out-of-the-box by integrating with Stripe. Organizations can also plug-in their own billing and invoicing system to invoice APIs for usage or over other forms, such as one-time-payments for API subscriptions and so on. API product managers can view pending invoices of their subscribers and subscribers can also view their pending payments. The following is an example invoice.

Figure 4: An API invoice

Enhanced DevOps and Developer Flows

Introducing the Kubernetes Operator for APIs

APIs no longer feel alien in the Kubernetes ecosystem. Just as services, APIs have become a first-class citizen in Kubernetes with the introduction of the new API type. Developers/Dev-Ops deploying microservices on Kubernetes can now easily deploy APIs for individual microservices or compose multiple microservices into individual APIs using the API operator for Kubernetes. This makes it simple for developers to create well-documented, easily consumable, managed APIs for microservices on Kubernetes. The following command enables creating an API in Kubernetes.

kubectl add api -n Stocks --from-file="/path/to/stocks/swagger.yaml"

The above command would create an API named ‘Stocks’ in Kubernetes. This would act as the gateway to the relevant microservice or collection of microservices. It gives you OAuth2.0-based security, request quotas, tracing, logging, analytics, and transformations (if configured) on your microservice through the deployed API. The parameters are configurable (e.g., switching to Basic Auth instead of OAuth2.0). The next command, as shown below, will then push the Stocks API to the control plane (API Manager).

apictl import-api -f Stocks -e k8s

This deploys the Stocks API on a fully-fledged developer portal, allowing applications to be registered and subscribe to use the API over defined business plans.

CI/CD Tooling for Automated Deployments of APIs

The API controller (apictl), also mentioned in the previous section, has been enhanced to support the creation and first-time deployments of APIs. It was earlier capable of automatically promoting APIs from one environment to another. With the new version of the tool, it can now initiate API projects, configure APIs through its parameters, and deploy APIs to any environment it wishes. Initializing an API project using an OpenAPI (Swagger) file can be performed through the following command.

apictl init PetstoreAPI --oas https://petstore.swagger.io/v2/swagger.json

Deploying an API to a given environment (production) can be done as below.

apictl import-api -f PetstoreAPI -e production

The API controller can be integrated with build automation tools, such as Jenkins, Travis CI, and Concourse. With the integration of the tool, API projects can be maintained in source repositories (Github) and can be automatically deployed using CI/CD pipelines.

Exposing GraphQL Services as APIs

API Manager 3.0 allows GraphQL schemas to be uploaded directly via the API publisher portal to be able to expose these services as managed APIs. This allows developers to apply API management rules, such as authentication, authorization, rate limits, and policies by individual GraphQL operation. For example, think of a scenario where you want to restrict the creation of objects in your data store to a particular role (manager) but you want everyone to be able to query those objects. GraphQL uses mutations for creating objects and queries for requesting data. The API gateway now allows developers to control the permissions of each operation by user role (or otherwise). The gateway is, therefore, capable of restricting the GraphQL mutations to the ‘manager’ role only while allowing any valid user to perform queries. The following image gives you an indication of how permissions (scopes) and rate limits can be applied on individual GraphQL operations.

Figure 5: Setting permissions and rate limits to individual GraphQL operations

Additions to API Security Capabilities

The popularity and massive adoption of APIs are making them a rich hunting ground for attackers. As such, API security should be continuously improving and it requires intense attention. Following major artificial intelligence-based API security capabilities introduced into WSO2 API Manager earlier during 2019, this new release adds more security-related features that make APIs more secure and provides more options for application developers.

Bot Detection

From version 3.0 onwards, API Manager’s API gateway can detect bots scanning its port for context paths. This is a useful feature to identify attackers looking for potentially vulnerable APIs to hack into. The bot detection capability available in the API gateway will silently notify relevant authorities when a bot attempts to scan its port for potentially weak APIs. Upon detection, it can even automatically prevent the originating IP address from accessing any more APIs until further notice. This keeps your systems safe and away from intruders intending to harm the system in any way.

Support for API Key and Basic Auth

When it comes to internal APIs and applications accessing APIs within restricted boundaries, the security protocols applied on APIs need not be as stringent as APIs being accessed publicly or extended boundaries. API Manager 3.0 adds out-of-the-box support for basic authentication for API requests and revocable API Keys. While these protocols were earlier supported through policies, they have now been absorbed as first-class capabilities. API Manager’s API security portfolio now consists of full stack OAuth2.0 support, Mutual TLS, Basic Authentication, API Key, and other protocols available as policies.

JSON Schema Validation

API security can be categorized into three different types. The first is authentication and authorization, supported through protocols such as OAuth2.0 and Basic Auth. The second is malicious content. And the third is abnormal activity patterns and behaviors, which are identified and prevented through artificial intelligence, machine learning, and algorithms. To detect malicious content, API Manager has been supporting capabilities such as XML schema validations, identifying malicious XML content (XML bombs), identifying SQL injections, and identifying malicious JSON content over attributes such as max array size and max element size. API Manager 3.0 includes enhancements to detect malicious content by adding a capability that checks whether messages being sent by applications comply with defined JSON schemas. API developers can now specify the JSON schemas to which the API requests and responses should comply to. Any message being sent by applications or backend services that do not comply with the specified JSON schema will be blocked. This makes your APIs much more secure.

Give It a Spin!

WSO2 API Manager 3.0, which comes with an Apache2 license, is free to download and use. Visit our website to download the latest version and give it a try. The page lists contact information and details on how to join our Slack channel. Follow us on Twitter to stay up-to-date on the latest news relating to APIs and other cool tech stuff.


About Author

  • Nuwan Dias
  • VP and Deputy CTO
  • WSO2

Nuwan is a part of the architecture team that drives the development efforts of WSO2’s API management platform. Previously, he spearheaded architectural, research, and development aspects of WSO2 API Manager. He has also been involved in many customer engagements where he has assisted in developing their solutions architecture.