API Management Solution for Heroku Applications
See an API management solution for Heroku applications.
Join the DZone community and get the full member experience.Join For Free
Heroku is a PaaS for deploying and running modern apps. If you are an application developer using the Heroku platform, you may have already identified the need for a proper API Management solution to solve common integration challenges for catering frequently changing business use cases.
Let’s take a simple ecosystem of a service provider and two consumers.
The consumer application A and B consumes the service provided by application C. Based on the service exposure and consumption needs, we can categorize these applications as:
- Applications that expose services
- Applications that consume services
- Applications that consume and exposes services
With the increase in these services and integrations of your enterprise applications, managing the complete lifecycle of these applications becomes a tedious job.
Heroku Application Developer Challenges
As application developers, we face numerous challenges and end up having many time-consuming workarounds due to the lack of complete API management functionalities.
- Consumer applications usually demand standard security mechanisms such as OAuth2. With the rise of mobile apps in digital enterprises, services need to support proper RESTful APIs to consumers. Consumers expect standard OAuth2 functionalities such as authorization code flow with PKCE. In some application integration projects, demand for various grant types such as NTLM, JWT, and SAML also become a critical factor to complete the project due to the integrations of nature. As a service provider, focusing on providing complete OAuth2 compatible service is more time-consuming and complicated than implementing the actual business logic of the service.
- Consumer applications may abuse the service with an unexpected load. The Heroku blog suggests using different libraries to achieve this. However, having proper traffic limits for each consumer application should be configurable and fast without changes on the app itself.
- Service provider applications require you to know who invokes the service and statistics such as the number of failed and successful requests per every consumer. While Heroku provides better statistics for entire service invocations, the breakdown of these numbers based on the consumer is useful to identify the error rate to analyze the impact in case of service downtimes.
- Service provider applications may need to expose filtered data to specific consumers. Claims such as username, roles of the consumers, as well as the service provider are frequently used to filter the data accordingly.The service provider needs to update new contracts of the service without breaking existing consumer applications. Service lifecycle management is required. In many cases, service consumers cannot switch to the latest service version immediately. It may take months to a year in practical situations. However, you can mark the previous versions of the service as deprecated, so new consumers do not consume it. Another aspect of service lifecycle management is to block access to the service immediately in case severe security vulnerabilities of service is exploited.
- The service provider needs to expose mechanisms to test the service for the development of consumer applications.
- The service provider must identify vulnerable consumers and restrict access quickly. In case of attacks from a weak consumer, the ability to kick the consumer out is a key requirement.
- As a consumer of multiple services, you may find a hard time dealing with various authentication mechanisms not because of exposing standard security implementations by the service developers. As a result, you have to embed multiple third-party libraries, store credentials to authenticate and authorize access to protected services. If multiple consumer applications consume the same protected services, governance of service consumption is unmanageable. As an example, if there is a vulnerable consumer application, revocation of shared sensitive details needs to be changed in all applications.
API Management Solution
With a complete API Management solution, you can easily overcome all of these challenges immediately. Moreover, it provides other opportunities for Heroku application developers such as:
1. Developer portal to expose your services as APIs. The developer portal is customizable and includes community features to interact with consumers.
2. Monetize API usage. Start earning by enabling monetization for your consumers.
3. Ability to connect with any Identity provider to authenticate and allow access to your services.
Getting Started With API Management for Heroku
With all these gains in mind, how do you begin with API Mangement for Heroku?
1. There is nothing to change in your service provider implementation unless you need to identify who invoked your services(In such cases, modify the application to read the JWT token and identify the user and claims).
Service consumer applications need to subscribe to your APIs and get keys to access the APIs. No code changes on business models if the service contract is not changed but require to send the authorization header with access tokens.
2. Add WSO2 API Cloud Add-On to your Heroku application. This Add-On does not deploy any gateway in Heroku, and instead, you use the WSO2 API Cloud. This is fast and no additional cost involved in the Heroku side. Use API Cloud free trial. You can choose the API gateway location close to the region of Heroku deployment.
3. If you need to run the API gateway next to your Heroku applications, use the Heroku API Gateway Button.
4. Read more on Heroku API Management with WSO2 API Cloud.
Applications deployed in Heroku require API Management functionalities to solve integration challenges quickly and flexible manner.
Heroku API Cloud Add-On and API Gateway Button is one answer to such challenges.
Published at DZone with permission of Manjula Rathnayaka. See the original article here.
Opinions expressed by DZone contributors are their own.