Tuesday, May 26, 2015

Linking B2B with APIs

Bill Doerrfeld at Nordic APIs has written today about how APIs are evolving the B2B landscape. This is a particularly interesting article for me, because my personal background is working for an EDI provider, where I linked EDI processes from the private network to the Internet, over 15 years ago. Vordel was founded to allow new Web Services APIs to be used for B2B. Axway, a B2B software company, acquired Vordel in 2012 to link B2B with Web APIs. This caused a domino effect, with other API Management vendors being acquired shortly afterwards. However, none of the acquirers of the other startups had the B2B depth of Axway.

And since the acquisition we have been executing on that plan. In last month's Gartner MQ for Application Services Governance, in which Axway is classed as a "leader", Gartner reports that: “Axway acquired Vordel in November 2012 to mix integration, governance and cloud functions in a B2B infrastructure offering with API management capabilities, and it has been executing that plan since.”

APIs compliment B2B in many ways. In this white paper by Mark Boyd, I list some of them:
Often there are clear interfaces that make sense with APIs: price catalogs, order status lookups and shipment lookups, for example. B2B will require ways to go in and look at these interfaces, so they are good candidates to have available to partners as an API.
It's very exciting to see the ongoing usage of APIs for B2B, and for Axway to be at the center of this.  

Monday, May 25, 2015

Service Control Gateway

I'm back from a week in London, where one of the highlights was Gartner AADI. This year, I had the privilege of presenting alongside Oliver Cronk from Three UK, and our talk was entitled "How APIs are driving Digital Transformation at Three". A key part of that digital transformation is the role of the Service Control Gateway pattern.

In the morning before our talk, Gartner's Anne Thomas explained how the "Service Control Gateway" pattern applies SDA (Software Defined Architecture) to Application Services, creating SDAS (Software-Defined Application Services). Anne's session was full to capacity, indicating the level of interest in this area. In the photo below, we see the role of the Service Control Gateway, in between consumers and application services. On the right of the photo, you can see the capabilities provided by the Service Control Gateway. Coming from an API Management vendor, I could not help noticing that these closely align to an API Gateway

In our session, Oliver Cronk showed this pattern in action at Three. Here you can see the Service Control Gateway in between consumers (including, for example, ATMs for mobile topups) and underlying infrastructure such as an ESB.

Overall, this was a great conference. The highlight was the recognition of the role of the Service Control Gateway, and it was fantastic to be a part of telling the story of how an innovative organization such as Three UK has been at the forefront of taking advantage of this new pattern.

Friday, May 22, 2015

OpenID Connect (OIDC) on the Axway API Gateway

One of the great features on the latest release of the Axway API Gateway, and our API Management solution in general, is fully support for OpenID Connect (OIDC). OpenID Connect is a new specification which builds on top of OAuth 2.0, and it enables important "Social Login" use cases, among others. The OpenID Connect process follows the OAuth 2.0 three-legged authorization code flow, but with the additional concepts of an ID token and a UserInfo endpoint.

You can see in Policy Studio, there is the ability now to create an OpenID Connect Token, and associate it with claims:

We include prebuilt support for Google's OIDC implmentation, in an example flow documented below. You can see, at the bottom of the flow, that the "user_info" endpoint is called, to get info about the user (e.g. attributes). The "user_info" endpoint is one of the new features which OIDC builds on top of OAuth 2.0 itself:

Here's an example of the output from this user_info endpoint:
{ "kind": "APIManagementOpenIdConnect", "gender": "female", "sub": "sampleuser", "name": "Sample User", "given_name": "Sample", "family_name": "${User}", "picture": "https://URL.TO.IMAGE/", "email": "sampleuser@axway", "email_verified": "true", "locale": "en" }
This is all implemented in prebuilt samples, so you can see it in action in the API Gateway. See below "Use OpenID Connect" to sign in with Google (where Google is the IpD - Identity Provider) or sign in with the Axway API Gateway.

The fact that the Axway solution allows our customersto act as your their IdP is important, since it enables many so-called "Identity as a Service" (IDaaS) use cases. It means you yourself can implement "Sign in with My Company" of your own.

You can get your copy of the API Gateway, part of our API Management solution as a whole, over at www.axway.com

Thursday, May 14, 2015

API Workshop tomorrow May 15 at Nordic APIs Seattle

First, that's not a typo. Nordic APIs is indeed in Seattle this year. Perhaps next year we'll see "Pacific Northwest APIs" in Stockholm :-).

The Seattle line-up for Nordic APIs looks great, with Microsoft, APIMetrics, and Splunk speaking [I'm giving a talk about the "API First" approach]. The event kicks off at 11.30am. But, you can warm up for the event at the API Workshop taking place that morning at the same venue (Seattle's South Lake Union Discovery Center). At the API workshop, we get down and dirty with APIs, including:

* Building a mobile app consuming APIs, with REST and API Keys
       - What are the security considerations?
* Understanding REST API Security with OAuth and OpenID Connect
       - How to secure REST APIs: Where do OAuth 2.0 and API Keys fit in?
* How to enable Single Sign-On with Cloud Identity Providers (IdPs) like Google?
       - Mapping Cloud identity to enterprise identity
* Beyond REST: HTML5 WebSockets for API access
       - Full duplex streaming of data, for next-generation Web APIs
* SalesForce API Access: Session management, caching, orchestration
* Cloud-to-Ground interoperability in a hybrid world
       - How to safely connect Cloud services like Office 365 or Google Apps to your organization
* How to on-board and enable a partner developer community
       - API Developer Portal tips and tricks

It's free to register for the API Workshop, and we do provide coffee and giveaways. Come along to get in the API mood for NordicAPIs!

Friday, May 8, 2015

A tale of two electric car smartwatch API strategies

Nikki Gordon-Bloomfield has written a piece in Transport Evolved this week about some third-party smartwatch apps developed using Tesla's unofficial API. These follow on from the original unofficial Tesla Apple Watch app developed by Elek. While it's definitely possible to see merit in "letting a thousand flowers bloom" of unofficial apps, it is understandably worrying for security people to think about car apps calling an unofficial reverse-engineered API.

Another approach is what BMW has done for smartwatch (and smartphone) apps for their BMWi electric cars. These apps make use of the ConnectedDrive API. In this Axway video about the BMWi apps, with our implementation partner IC-Consult, you can learn about how this API makes use of OAuth and other security technologies, through an Axway API Gateway.This ensures security of the API itself, as well as enabling end-users to choose which aspects of the car they want the app to control (mapped via OAuth scopes, as explained in the video).

Here is a still from the video which shows the various apps, including a smartwatch app:

The API Gateway layer applies security, between the apps and the ConnectedDrive infrastruture:

And here's a double-click down on the architecture, showing the smartwatch and smartphone iRemote apps (on the left), with the API Gateway implementing OAuth (in the center), in front of the ConnectedDrive infrastructure (on the right). Click on the image to see the full video, including the OAuth flow (this piece is approx minute 17 onwards):

The era of smartwatch apps connecting to cars is upon us. API security has a key role to play.