Building a Modern Airline Experience with WSO2 API Manager
- Heshan Sudarshana
- Software Engineer - WSO2
”The API economy is an enabler for turning a business or organization into a platform.”
- Kristin R. Moyer
As organizations continue to push strategies towards API-based business models to compete in this digital economy, API integration has become a key factor in the airline industry when selecting a business strategy. A reliable and robust API integration and management platform is essential to achieve an enterprise's business goals. WSO2 API Manager is one of the leading open-source API integration platforms available today.
WSO2 API Manager is a complete API management solution built around WSO2's open-source middleware platform. Therefore, it provides capabilities such as fully managing API lifecycles, creating documentation for an API, imposing security policies for APIs, and providing analytical data on API usage. Moreover, the product provides a number of unique capabilities that are not available in other API management platforms. This article aims to provide some insights into these unique features, which provide customers the ability to customize the solution to fit their respective infrastructures.
1. Role-Based Access Control
OAuth scopes enable fine-grained access control for APIs based on user roles. Therefore, an authentication token is generated with a certain scope, which grants permission to access an API. A client will not be able to invoke a resource that is bound to a scope without a token with the required scope. This provides the opportunity to control access for APIs based on roles over OAuth scopes.
For example, let’s imagine there is a flight API exposed by an airline. A GET /flights resource is exposing the scheduled flights. Since it is public information and a read-only operation, we can keep it open and allow access to anyone who has access to the API. However, the POST/flights resource, which is used to schedule flights, should be a privileged operation and must be allowed only to the airline’s operation admins. In this case, within the same API, we have two operations that require different permissions. If you secure the flight API with just an OAuth token, you will not be able to distinguish the API client and will not be able to control the access. When you attach a scope to the OAuth tokens, the API gateways will be able to manage this situation.
2. Deny Policies
Deny policies are applied to block resource invocations that occur from a certain party. Deny policies can be enforced to stop identified attacks or to temporarily ban malicious users if they misuse the system. The users with administrative privileges have the ability to apply deny policies based on the following parameters,
- Block calls to specific APIs
- Block all calls from a given application
- Block requests coming from a specific IP address or IP range
- Block a specific user from accessing APIs
Let’s assume that there is an application that has a subscription to the GET /flights API. System admins of the Flight API received some information from the IT security team and suspect that this application is not a legitimate one. Until further investigations are done, admins were asked to block the API calls from this application. Situations like this can be handled with the Deny Policy feature.
Workflows enable users to add more constraints or monitoring towards a task. For instance, a user creation workflow provides the capability to users to self-sign up for a developer portal; the signed-up user would not be able to login to the portal unless a user with administrative privileges approves the new user. This provides fine-grained control and monitoring over the user creation task. APIM enables the option to add workflows to tasks such as user creation, application creation, subscription creation, subscription update, application registration, and API state change.
An example would be where an airline decides to open user registration to the outside while monitoring the user creation process. Therefore, a user with administrative privileges can approve the registration after a validation process (A manual validation can consist of a simple process such as checking the validity of the email address to a complicated process such as waiting for a registration payment, a background check contacting the user by the provided telephone number or validating the address of the user similar to banks).
A tenant is a single server/cluster environment that allows maximum resource sharing for users. Each user is provided with the experience of using his/her own server rather than a shared environment. Multi-tenancy enables organizations to collaborate and monetize their APIs across multiple entities such as departments, partners, or simply between separate development groups. Moreover, it ensures optimal system performance of resources such as memory and hardware and ensures personal data is isolated for each tenant.
Let’s assume that there is an airport that provides flight services to airlines and two airlines (named Qantas and Delta airlines in the diagram) request dedicated environments with uncoupled user management, data management, request throttling, and security policies for their respective API management tasks. Multi-tenancy unlocks the capability to accommodate this business scenario.
5. Different API Protocol Support
With the complexity of the requirements growing exponentially, basic REST and SOAP API support is not sufficient. WSO2 API Manager provides GraphQL and WebSocket API support that gives users the freedom to manage a variety of API protocols.
Elaborating more on the airline example, assume an airline decides to develop a mobile application for booking flights using GraphQL, which is a query language for APIs that provides the developers the freedom to query for specific required data. On the other hand, another airline decides to implement a chat application for communication between flights and ground staff using WebSocket APIs. The airport who facilitates the APIs of both airlines requires a single platform to manage APIs from both protocols. It is possible to accommodate this requirement with WSO2 API Manager.
API monetization is the process of generating revenue from a published API based on its usage. This process enables organizations to expose their data and services to the beneficiaries and gain revenue based on the use of their service. WSO2 API Manager provides the capability to monetize APIs with an extendible interface that can be used to integrate with an external third-party billing engine.
The airport has identified a business opportunity as they have an API to expose flight details for a certain date with the number of passengers and flight times. Since there are a number of services that depend on the airport such as stores, cab services nearby the airport decides to expose the API to the external parties where those who require flight details can subscribe to the API. Based on the number of successful requests to the API, subscribers are charged. Therefore, the airport has the opportunity to earn revenue whereas the beneficiaries of the flight details have the opportunity to optimize their services to maximize the throughput based on the number of passengers at a time of the day.
Throttling is the process of limiting the number of requests for a specific API in a given time. WSO2 API Manager provides the capability to throttle requests at different levels, such as subscription level throttling, application-level throttling, and advanced throttling where conditional throttling policies can be applied based on IP conditions, query param conditions, header conditions, or JWT token claim conditions.
Let’s assume that the airline company needs to limit the requests for an API to 1000 per minute and furthermore specifically limit the number of requests from a certain IP range to 100 per minute since they have encountered a suspicious amount of requests from a range of IPs. This scenario can be implemented using an advanced throttling policy where you have the ability to provide a default rate limiting policy based on the number of requests or bandwidth and add a conditional throttling group to throttle requests for an IP range so that the requests from a certain IP address range to the API will be throttled according to the fine-grained policy.
Refer to the documentation to explore more about the throttling use-cases and capabilities of WSO2 API Manager.
Apart from the features covered in this article, WSO2 API Manager provides an all-round API management experience. Since the product is a 100% open-source API management solution and is licensed under the Apache Software License Version 2.0, it is free to use. You can get a head start with the quick start guide or dive straight into our learning material to discover the full potential of the product from the documentation.
Try it out today!
To explore all these powerful features, download the latest version of WSO2 API Manager and follow the official product documentation to get started. Moreover, you can find more resources on YouTube and Medium. If you want help from the community, head over to the Slack channel.