book

Mastering API Architecture

by James Gough, Daniel Bryant, Matthew Auburn

October 2022

Beginner to intermediate

286 pages

8h 3m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Foreword
Preface
Why Did We Write This Book?Why Should You Read This Book?Who This Book Is ForDeveloperAccidental ArchitectSolutions/Enterprise ArchitectWhat You Will LearnWhat This Book Is NotConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgmentsJames GoughDaniel BryantMatthew Auburn
Introduction
The Architecture JourneyA Brief Introduction to APIsRunning Example: Conference System Case StudyTypes of APIs in the Conference Case StudyReasons for Changing the Conference SystemFrom Tiered Architecture to Modeling APIsCase Study: An Evolutionary StepAPI Infrastructure and Traffic PatternsRoadmap for the Conference Case StudyUsing C4 DiagramsC4 Context DiagramC4 Container DiagramC4 Component DiagramUsing Architecture Decision RecordsAttendees Evolution ADRMastering API: ADR GuidelinesSummary
I. Designing, Building, and Testing APIs
1. Design, Build, and Specify APIs
Case Study: Designing the Attendee APIIntroduction to RESTIntroduction to REST and HTTP by ExampleThe Richardson Maturity ModelIntroduction to Remote Procedure Call (RPC) APIsA Brief Mention of GraphQLREST API Standards and StructureCollections and PaginationFiltering CollectionsError HandlingADR Guideline: Choosing an API StandardSpecifying REST APIs Using OpenAPIPractical Application of OpenAPI SpecificationsCode GenerationOpenAPI ValidationExamples and MockingDetecting ChangesAPI VersioningSemantic VersioningOpenAPI Specification and VersioningImplementing RPC with gRPCModeling Exchanges and Choosing an API FormatHigh-Traffic ServicesLarge Exchange PayloadsHTTP/2 Performance BenefitsVintage FormatsGuideline: Modeling ExchangesMultiple SpecificationsDoes the Golden Specification Exist?Challenges of Combined SpecificationsSummary
2. Testing APIs
Conference System Scenario for This ChapterTesting StrategiesTest QuadrantTest PyramidADR Guideline for Testing StrategiesContract TestingWhy Contract Testing Is Often PreferableHow a Contract Is ImplementedADR Guideline: Contract TestingAPI Component TestingContract Testing Versus Component TestingCase Study: Component Test to Verify BehaviorAPI Integration TestingUsing Stub Servers: Why and HowADR Guideline: Integration TestingContainerizing Test Components: TestcontainersCase Study: Applying Testcontainers to Verify IntegrationsEnd-to-End TestingAutomating End-to-End ValidationTypes of End-to-End TestsADR Guideline: End-to-End TestingSummary
II. API Traffic Management
3. API Gateways: Ingress Traffic Management
Is an API Gateway the Only Solution?Guideline: Proxy, Load Balancer, or API GatewayCase Study: Exposing the Attendee Service to ConsumersWhat Is an API Gateway?What Functionality Does an API Gateway Provide?Where Is an API Gateway Deployed?How Does an API Gateway Integrate with Other Technologies at the Edge?Why Use an API Gateway?Reduce Coupling: Adapter/Facade Between Frontends and BackendsSimplify Consumption: Aggregating/Translating Backend ServicesProtect APIs from Overuse and Abuse: Threat Detection and MitigationUnderstand How APIs Are Being Consumed: ObservabilityManage APIs as Products: API Lifecycle ManagementMonetize APIs: Account Management, Billing, and PaymentA Modern History of API Gateways1990s Onward: Hardware Load BalancersEarly 2000s Onward: Software Load BalancersMid-2000s: Application Delivery Controllers (ADCs)Early 2010s: First-Generation API Gateways2015 Onward: Second-Generation API GatewaysCurrent API Gateway TaxonomyTraditional Enterprise GatewaysMicroservices/Micro GatewaysService Mesh GatewaysComparing API Gateway TypesCase Study: Evolving the Conference System Using an API GatewayInstalling Ambassador Edge Stack in KubernetesConfiguring Mappings from URL Paths to Backend ServicesConfiguring Mappings Using Host-based RoutingDeploying API Gateways: Understanding and Managing FailureAPI Gateway as a Single Point of FailureDetecting and Owning ProblemsResolving Incidents and IssuesMitigating RisksCommon API Gateway Implementation PitfallsAPI Gateway LoopbackAPI Gateway as an ESBTurtles (API Gateways) All the Way DownSelecting an API GatewayIdentifying RequirementsBuild Versus BuyADR Guideline: Selecting an API GatewaySummary
4. Service Mesh: Service-to-Service Traffic Management
Is Service Mesh the Only Solution?Guideline: Should You Adopt Service Mesh?Case Study: Extracting Sessions Functionality to a ServiceWhat Is Service Mesh?What Functionality Does a Service Mesh Provide?Where Is a Service Mesh Deployed?How Does a Service Mesh Integrate with Other Networking Technologies?Why Use a Service Mesh?Fine-grained Control of Routing, Reliability, and Traffic ManagementProvide Transparent ObservabilityEnforce Security: Transport Security, Authentication, and AuthorizationSupporting Cross-Functional Communication Across LanguagesSeparating Ingress and Service-to-Service Traffic ManagementEvolution of Service MeshEarly History and MotivationsImplementation PatternsService Mesh TaxonomyCase Study: Using a Service Mesh for Routing, Observability, and SecurityRouting with IstioObserving Traffic with LinkerdNetwork Segmentation with ConsulDeploying a Service Mesh: Understanding and Managing FailureService Mesh as a Single Point of FailureCommon Service Mesh Implementation ChallengesService Mesh as ESBService Mesh as GatewayToo Many Networking LayersSelecting a Service MeshIdentifying RequirementsBuild Versus BuyChecklist: Selecting a Service MeshSummary
III. API Operations and Security

5. Deploying and Releasing APIs
Separating Deployment and ReleaseCase Study: Feature FlaggingTraffic ManagementCase Study: Modeling Releases in the Conference SystemAPI LifecycleMapping Release Strategies to LifecycleADR Guideline: Separating Release from Deployment with Traffic Management and Feature FlagsRelease StrategiesCanary ReleasesTraffic MirroringBlue-GreenCase Study: Performing Rollouts with Argo RolloutsMonitoring for Success and Identifying FailureThree Pillars of ObservabilityImportant Metrics for APIsReading the SignalsApplication Decisions for Effective Software ReleasesResponse CachingApplication-Level Header PropagationLogging to Assist DebuggingConsidering an Opinionated PlatformADR Guideline: Opinionated PlatformsSummary
6. Operational Security: Threat Modeling for APIs
Case Study: Applying OWASP to the Attendee APIThe Risk of Not Securing External APIsThreat Modeling 101Thinking Like an AttackerHow to Threat ModelStep 1: Identify Your ObjectivesStep 2: Gather the Right InformationStep 3: Decompose the SystemStep 4: Identify Threats—Taking This in Your STRIDEStep 5: Evaluate Threat RisksStep 6: ValidationSummary
7. API Authentication and Authorization
AuthenticationEnd-User Authentication with TokensSystem-to-System AuthenticationWhy You Shouldn’t Mix Keys and UsersOAuth2Authorization Server Role with API InteractionsJSON Web Tokens (JWT)Terminology and Mechanisms of OAuth2 GrantsADR Guideline: Should I Consider Using OAuth2?Authorization Code GrantRefresh TokensClient Credentials GrantAdditional OAuth2 GrantsADR Guideline: Choosing Which OAuth2 Grants to SupportOAuth2 ScopesAuthorization EnforcementIntroducing OIDCSAML 2.0Summary
IV. Evolutionary Architecture with APIs
8. Redesigning Applications to API-Driven Architectures
Why Use APIs to Evolve a System?Creating Useful Abstractions: Increasing CohesionClarifying Domain Boundaries: Promoting Loose CouplingCase Study: Establishing Attendee Domain BoundariesEnd State Architecture OptionsMonolithService-Oriented Architecture (SOA)MicroservicesFunctionsManaging the Evolutionary ProcessDetermine Your GoalsUsing Fitness FunctionsDecomposing a System into ModulesCreating APIs as “Seams” for ExtensionIdentifying Change Leverage Points within a SystemContinuous Delivery and VerificationArchitectural Patterns for Evolving Systems with APIsStrangler FigFacade and AdapterAPI Layer CakeIdentifying Pain Points and OpportunitiesUpgrade and Maintenance IssuesPerformance IssuesBreaking Dependencies: Highly Coupled APIsSummary
9. Using API Infrastructure to Evolve Toward Cloud Platforms
Case Study: Moving the Attendee Service to the CloudChoosing a Cloud Migration StrategyRetain or RevisitRehostReplatformRepurchaseRefactor/Re-architectRetireCase Study: Replatforming the Attendee Service to the CloudRole of API ManagementNorth–South Versus East–West: Blurring Lines of Traffic ManagementStart at the Edge and Work InwardCrossing Boundaries: Routing Across NetworksFrom Zonal Architecture to Zero TrustGetting in the ZoneTrust No One and VerifyRole of Service Mesh in Zero Trust ArchitecturesSummary
10. Wrap-up
Case Study: A Look Back on Your JourneyAPIs, Conway’s Law, and Your OrganizationUnderstanding Decision TypesPreparing for the FutureAsync CommunicationHTTP/3Platform-based MeshWhat’s Next: How to Keep Learning About API ArchitectureContinually Honing the FundamentalsKeeping Up-to-Date with Industry NewsRadars, Quadrants, and Trend ReportsLearning About Best Practices and Use CasesLearning by DoingLearning by Teaching
Index
About the Authors

Content preview from Mastering API Architecture

Chapter 7. API Authentication and Authorization

In the previous chapter you learned how to threat model API-based systems and about the OWASP API Security Top 10. The Attendee API is ready to receive traffic from the outside world; however, how exactly is the consumer of the API identified? In this chapter we are going to explore authentication and authorization for APIs. Authentication tells us who the callee is and authorization tells us what they are allowed to do.

We will begin by highlighting what authentication and authorization is for APIs. This leads to the importance of securing APIs and the potential limitations with using API keys and tokens. OAuth2 is a token-based authorization framework introduced in 2012 and has rapidly become the industry standard for securing APIs and determining what actions an application can perform against an API. A large part of this chapter will focus on OAuth2 and the range of security approaches offered for both end users and system-based interactions. Consumers of APIs will sometimes need to know details of the user they are acting on behalf of—to show how this can be achieved we will introduce OIDC.

The chapter will illustrate the different approaches to security by looking to prepare the Attendee API for external usage by the CFP system.

Authentication

Authentication is the act of verifying an identity. For the case of a user, the most traditional method is that the user presents their credentials in the form of a username and the ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492090625Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering API Architecture

by James Gough, Daniel Bryant, Matthew Auburn

Chapter 7. API Authentication and Authorization

Authentication

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.