The API Stack

The API is one of most important parts of a modern application architecture. APIs should be generic and re-usable, robust, flexible and reliable.

Flexible and re-usable APIs means that middleware that has earlier been integrated as part of the front-end, needs to be pushed down to the API stack.

Authentication and authorization

The «Authentication and authorization» part is not an easy task to migrate over to the API stack. Involving both the end-user and client in the authentication process, involves replacing protocols for Web Single Sign-On, such as SAML 2.0 with more API-oriented protocols such as OAuth 2.0 and OpenID Connect. While this is not necessarily very complex by itself, it becomes quite a bit to configure and manage for each API. In addition you would like to satisfy the expectation of self-service registration and management of applications and access control.

Dataporten aims to offer this part of the API stack as a service for APIs in education and research in Norway.

Service providers will benefit from this functionality from Dataporten:

  • Exposing the API information in a public catalog available to application developers that are interested.
  • Application providers that wants to make use of the API may request access through the Dataporten Dashboard.
  • API owners may control the moderation queue of applications that requests access.
  • More fine-grained API access may be managed by the use of API sub-scopes. Let applications decide whether they would like to request readonly access, write access, admin access or any custom access level that the API owner has defined.
  • Applications may re-use the OAuth tokens that are issued during authentication to access the API. This is very convenient for applications that needs to access multiple APIs.
  • Dataporten proxies the request and process and validates the token, and passes on information about the authenticated end-user, the client, access scopes and more to the API to easily implement the fine-grained access control based upon the requesting user.
  • Dataporten provides statistics about the usage of your API (coming soon)

The rest of the stack

The exact stack needed for an API may vary. The layered architecture allows one to more easily pick the needed functions and enable them in a middle ware layer.

There are some functions that needs to be placed very close to the API. This includes implementation of the protocol, business logic, fine-grained authorization and object cache.

Other functions such as rate limiting, audit logging, caching can be placed different places in the architecture. They may be part of a middleware stack of the API software it self, or they may be part of a common infrastructure component as a proxy.

The load balancer, when needed, obviously needs to be placed in front of the API instances.

While we have been asked about this, Dataporten does not aim towards offering these more API-near middleware layers.

Dataporten scales down

A full API stack may seem overwhelming and is not needed in order to get started with offering API web services, but may be easily introduced later when the use and expectations of the API increases.

Still Dataporten scales down to support your simplest « Hello world, $username! » API.

Using Dataporten with APIs without Gatekeeper

While the simplest approach for API owners would be to use the Dataporten API Gatekeeper, there might be reasons why one may want to send API traffic directly from clients to the API source without any proxies. Some reasons may be:

  • Security considerations with regards to API proxies
  • Very high latency requirements
  • Very high performance requirements

Our recommendations for how to re-use the Dataporten features in these use cases it to rely on signed JWT bearer tokens.

We have implemented demo-code for how one can setup a JWT token issuer with Dataporten, but we also plan to include support for issuing JWT bearer tokens for third party APIs as part of the built-in functionality of the Dataporten platform.

Getting started

If you are an API developer and would like to get started playing with the Dataporten API Gatekeeper you can head over to the documentation:

And please let us know if there are things you feel are missing form the documentation.