Friday, May 22, 2015

OpenID Connect (OIDC) on the Axway API Gateway

One of the great features on the latest release of the Axway API Gateway, and our API Management solution in general, is fully support for OpenID Connect (OIDC). OpenID Connect is a new specification which builds on top of OAuth 2.0, and it enables important "Social Login" use cases, among others. The OpenID Connect process follows the OAuth 2.0 three-legged authorization code flow, but with the additional concepts of an ID token and a UserInfo endpoint.

You can see in Policy Studio, there is the ability now to create an OpenID Connect Token, and associate it with claims:

We include prebuilt support for Google's OIDC implmentation, in an example flow documented below. You can see, at the bottom of the flow, that the "user_info" endpoint is called, to get info about the user (e.g. attributes). The "user_info" endpoint is one of the new features which OIDC builds on top of OAuth 2.0 itself:

Here's an example of the output from this user_info endpoint:
{ "kind": "APIManagementOpenIdConnect", "gender": "female", "sub": "sampleuser", "name": "Sample User", "given_name": "Sample", "family_name": "${User}", "picture": "https://URL.TO.IMAGE/", "email": "sampleuser@axway", "email_verified": "true", "locale": "en" }
This is all implemented in prebuilt samples, so you can see it in action in the API Gateway. See below "Use OpenID Connect" to sign in with Google (where Google is the IpD - Identity Provider) or sign in with the Axway API Gateway.

The fact that the Axway solution allows our customersto act as your their IdP is important, since it enables many so-called "Identity as a Service" (IDaaS) use cases. It means you yourself can implement "Sign in with My Company" of your own.

You can get your copy of the API Gateway, part of our API Management solution as a whole, over at

Thursday, May 14, 2015

API Workshop tomorrow May 15 at Nordic APIs Seattle

First, that's not a typo. Nordic APIs is indeed in Seattle this year. Perhaps next year we'll see "Pacific Northwest APIs" in Stockholm :-).

The Seattle line-up for Nordic APIs looks great, with Microsoft, APIMetrics, and Splunk speaking [I'm giving a talk about the "API First" approach]. The event kicks off at 11.30am. But, you can warm up for the event at the API Workshop taking place that morning at the same venue (Seattle's South Lake Union Discovery Center). At the API workshop, we get down and dirty with APIs, including:

* Building a mobile app consuming APIs, with REST and API Keys
       - What are the security considerations?
* Understanding REST API Security with OAuth and OpenID Connect
       - How to secure REST APIs: Where do OAuth 2.0 and API Keys fit in?
* How to enable Single Sign-On with Cloud Identity Providers (IdPs) like Google?
       - Mapping Cloud identity to enterprise identity
* Beyond REST: HTML5 WebSockets for API access
       - Full duplex streaming of data, for next-generation Web APIs
* SalesForce API Access: Session management, caching, orchestration
* Cloud-to-Ground interoperability in a hybrid world
       - How to safely connect Cloud services like Office 365 or Google Apps to your organization
* How to on-board and enable a partner developer community
       - API Developer Portal tips and tricks

It's free to register for the API Workshop, and we do provide coffee and giveaways. Come along to get in the API mood for NordicAPIs!

Friday, May 8, 2015

A tale of two electric car smartwatch API strategies

Nikki Gordon-Bloomfield has written a piece in Transport Evolved this week about some third-party smartwatch apps developed using Tesla's unofficial API. These follow on from the original unofficial Tesla Apple Watch app developed by Elek. While it's definitely possible to see merit in "letting a thousand flowers bloom" of unofficial apps, it is understandably worrying for security people to think about car apps calling an unofficial reverse-engineered API.

Another approach is what BMW has done for smartwatch (and smartphone) apps for their BMWi electric cars. These apps make use of the ConnectedDrive API. In this Axway video about the BMWi apps, with our implementation partner IC-Consult, you can learn about how this API makes use of OAuth and other security technologies, through an Axway API Gateway.This ensures security of the API itself, as well as enabling end-users to choose which aspects of the car they want the app to control (mapped via OAuth scopes, as explained in the video).

Here is a still from the video which shows the various apps, including a smartwatch app:

The API Gateway layer applies security, between the apps and the ConnectedDrive infrastruture:

And here's a double-click down on the architecture, showing the smartwatch and smartphone iRemote apps (on the left), with the API Gateway implementing OAuth (in the center), in front of the ConnectedDrive infrastructure (on the right). Click on the image to see the full video, including the OAuth flow (this piece is approx minute 17 onwards):

The era of smartwatch apps connecting to cars is upon us. API security has a key role to play. 

Friday, May 1, 2015

May is global API-palooza at Axway - 11 great API-related events in one month

With all of the API-related conferences today, I'm surprised there is not one called API-palooza. Maybe we're all waiting for Perry Farrell to organize it. But, here at Axway, our May schedule is like an API-palooza all of its own: a worldwide tour of API evangelism. Come along to any of the events and you can pick up one of our sought-after "API First" t-shirts, and hear all about API strategy best practices.

Here's the May calendar in full:

May 5: Innovation Forum Philadelphia - with Accenture and Bristol Myers Squibb

First up, next Tuesday, is the Innovation Forum in Philadelphia: a free event organized by Axway where you can hear experts from Accenture and Bristol Myers Squibb share API best practice. I will be speaking about Digital Transformation in the morning. Kevin Kohut from Accenture will be speaking about "API First", while Janette Bubinak and Ron Zhang from Bristol-Myers Squibb will be speaking about self-service API access. We also are running an API Workshop in the afternoon of the event, where we will walk you throught the soup-to-nuts process of creating a mobile app based on open APIs - think of it like a mini-hackathon. Sign-up for free for the Innovation Forum in Philadelphia here, there is still time.


May 6-7: API Days Mediterranea - Barcelona 

Fresh from sponsoring API Days Berlin last month, and API Days Sydney back in January, Axway is once again a sponsor of API Days - this time it's API Days Mediterranea in Barcelona.

I recommend catching Axway's Ross Garrett speaking on the Hypermedia track at 10.30am on May 6. Hypermedia talk titles can never be accused of not being obtuse, and Ross's talk title doesn't disappoint: "A Babel fish from the swamp of POX". Here's Ross's talk abstract:
One of the foundational aspects of the Web is the concept that, even if the client (browser) and the server have 'never met’ they should be able to understand each other. They should be able to interact successfully. This was one of key problems Tim Berners-Lee and Robert Cailliau wanted to solve when they proposed hypertext to "link and access information of various kinds as a web of nodes in which the user can browse at will”. Today’s programmable Web has perhaps started to move away from this universal and browsable foundation, and in this session we’ll think about the language of Web APIs and how developers and clients must learn to understand them.

May 11: Nordic APIs Spring Tour - Denmark

This year Nordic APIs is going global. In fact the only spring Nordic APIs event which is actually in the Nordics is the first one: Nordic APIs Denmark, taking place in Copenhagen on May 11.

Axway's Philipp Schöne is speaking at 1pm on "Delivering API First: Is your API a first class citizen?".

Here is the abstract for Philipp's talk:
What does it mean to be “API First”? In this session, we answer that question using case studies where organizations have treated their API as a first-class citizen of their enterprise architecture. By treating their API as a first-class citizen, they avoid the temptation of simply creating ad-hoc APIs simply as “plumbing” for mobile apps. By taking the API First approach, these organizations also design their API security up-front, including the usage of OAuth, API Firewalling, and securely managed API Keys. We also examine the alternatives to API First, such as “Mobile first” development. Using an API First approach, we’ll see how enterprises with legacy applications, complex SOA environments and strict governance structures can embrace the API wave and architect for the future.

May 12: Nordic APIs Spring Tour - Germany

In Munich on May 12, there is another chance to hear Philippe Schöne speak on "Delivering API First: Is your API a first class citizen?", at 1pm. This looks like a fantastic event, with Stefan Weiss from Fidor TecS speaking later that afternoon on "Distripting Banking with an API" - a very hot topic for many Axway API Management customers in the financial services area.

May 12: Innovation Forum Chicago - with Accenture and Dun & Bradstreet

While Philipp is speaking at Nordic APIs Germany, I'm in Chicago speaking at the Innovation Forum Chicago event organized by Axway.

I'll be speaking on digital transformation, and we also have Accenture and Dun & Bradstreet speaking about APIs. Kevin Kohut from Accenture will be speaking on "API First" (can you see an "API First" theme here? :-) ). Dun and Bradstreet will be speaking about their very successful "D&B Direct" API, in a talk entitled "Liberating & Modernizing Data Delivery with API’s: The D&B Direct Story"

Registration for Innovation Forum Chicago is free, and a great opporunity to meet and mingle with some leading API practitioners.

May 13: Nordic APIs Spring Tour - London

The Nordic APIs tour rolls into London on May 13, and once again Philipp Schöne from Axway is speaking, this time at 12.40pm, on "Delivering API First: Is your API a first class citizen?". Catch Philipp, as well as the Axway UK team, there.

May 15: API Workshop, Seattle (co-located with Nordic APIs Seattle)

On the morning of May 15, just before Nordic APIs Seattle kicks off, I'm leading an API Workshop where we cover API security, mobile API usage, WebSockets, and other API-related topics in a hands-on environment. It's at the same location as Nordic APIs Seattle, the South Lake Union Discovery Center, from 8.30am to 11am. Coffee will be provided :-). Sign up is free for this API Workshop (and, indeed, Nordic APIs Seattle is also free - so there is no excuse to not go to both events!)

May 15: Nordic APIs Spring Tour - Seattle

Nordic APIs comes stateside for the first time, sponsored by Axway and Microsoft. I'm speaking at 12.40pm on the topic of (you guessed it!) API First. I'm particularly looking forward to this event, which includes, as well as Microsoft and Axway, APIMetrics, Splunk, and Pearson Media in the lineup. Arrive at 8.30am and you can catch the free API Workshop before the event kicks off at 11am.

May 18-19: Gartner AADI, London - with Three

Axway is again a Platinum Sponsor for Gartner AADI. I'm speaking at the event alongside Oliver Cronk, Enterprise Architect at Three (a large UK mobile telco). Our talk is entitled "How APIs are driving Digital Transformation at Three". We're looking forward to a great session, discussing the "Service Control Gateway" pattern, and how APIs drive new services.

Axway will also have a booth at Gartner AADI London, so come along and say Hi if you're at the event.

May 19: Innovation Forum San Francisco - with Accenture, Dun & Bradstreet, and Roche

The Innovation Forum tour rolls into San Francisco on May 19, and we have some great speakers lined up from Accenture, Dun & Bradstreet, and Roche. Roche are presenting on "Mobile and Cloud Integration to Serve a Global Community". Accenture are presenting on API First strategy, and Dun and Bradstreet are speaking about Data-as-a-Service (DaaS) to liberate data via APIs. This is a great opportunity to meet with some top API practitioners in what is probably the home of APIs - San Francisco. As with all the Innovation Forums, registration is free.


May 20: API Workshop - Sweden

Finally, rounding out the month (and giving time for a week of rest before June!), there is the Axway API Workshop event in Stockholm, Sweden. Like the API Workshop the previous week in Seattle, this is an opportunity to get hands-on with APIs and walk through scenarios like connecting to the SalesForce API, learn about API Keys and OAuth, and about APIs in general.


And that wraps up the API-palooza that is May! Come along to any of the events, and grab your API First shirt :-)

Monday, April 20, 2015

Catch Philipp Schöne at API Days / APIStrat Berlin this Friday

Unfortunately I won't be at API Days / APIStrat Berlin 2015 later this week. But if you're there, check out my colleague Philipp Schöne's talk on the "APIs, Data & Intelligence" track. Details are:

LOCATION: Room: Caroline & Wilhelm v. Humboldt
DATE: April 24, 2015
TIME: 10:50 am - 12:30 pm

I know Philipp has a great presentation lined up, and the format of the event ensures a lot of great discussion. Sad to miss it (and to miss the opportunity for some great German beer afterwards too!)