Learn to use AI like a Pro. Learn More

A Comprehensive Dive into Gravitee

Gravitee Full Platform Demonstration

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    Join Linus Hawkinson as he delves into the Gravitee platform in this detailed and engaging technical presentation. This demo starts with an architecture overview and moves through various components such as the API Designer and Management pieces. Viewers will learn how to create APIs using drag-and-drop functionality, configure plans for access and subscriptions, and secure APIs using different policies. The session also covers using Gravitee's gateway for API calls, setting up alerts with Slack, and integrating advanced access management. The comprehensive tour concludes with a look at Gravitee's cockpit solution, offering a thorough understanding of managing multiple environments and installations.

      Highlights

      • Gravitee offers drag-and-drop API design, useful for both technical and non-technical users. πŸ“Š
      • The API management allows for lifecycle management and dynamic subscriptions. πŸ”„
      • A robust security setup includes OAuth2 applications and Google integration. πŸ›‘οΈ
      • Explore real-time alert setups via Slack for interactive monitoring. ⚑️
      • Gravitee's cockpit gives a comprehensive view of the entire installation and its components. πŸ›°οΈ

      Key Takeaways

      • Explore Gravitee's drag-and-drop API design feature for both technical and non-technical users 🎨
      • Understand how to manage and subscribe to APIs through Gravitee's developer portal πŸ”
      • Learn to integrate security features and policies for robust API management πŸ”’
      • Utilize Gravitee's alert engine for real-time notifications via Slack 🚨
      • Harness the power of access management with OAuth2 and Google sign-in πŸ”‘
      • Discover the cockpit solution for a unified view of all Gravitee components across multiple environments πŸ”­

      Overview

      The Gravitee platform is your go-to solution for end-to-end API management. With a user-friendly approach, both developers and product managers can design APIs using an intuitive drag-and-drop interface. Whether you start from scratch or import existing definitions, Gravitee makes life easier by automatically generating essential documentation and managing the API lifecycle.

        Dive into the integrations as Gravitee connects your API ecosystem, whether on the cloud or on-premise. From seamless API gateway setups to secure backends with OAuth2 authentication through Google, Gravitee ensures a protected interaction with your APIs. The developer portal allows managers to control API access, ensuring only the right eyes see the right information.

          Gain peace of mind with Gravitee’s alert engine that ties seamlessly with Slack for instant notifications regarding API health or security breaches. Gravitee's cockpit ties the whole platform together, providing a birds-eye view for environment management. This indispensable tool ensures everything runs smoothly, whether you're running a singular or multi-environment installation.

            Chapters

            • 00:00 - 00:30: Introduction to Gravity and Agenda The chapter provides a detailed introduction to the Gravity platform, led by Linus Hawkinson, head of solutions engineering. It outlines the presentation's agenda, starting with the architecture of Gravity, followed by a platform overview covering its components. The chapter promises an in-depth examination of each component, beginning with the API designer and demonstrating how to create an API from scratch using drag and drop functionality.
            • 00:30 - 01:00: Platform Overview and Components The chapter provides a comprehensive breakdown of the platform and its components. It begins by explaining the management process involved in importing and creating new APIs. This includes configuring different access plans for users. The chapter also covers the use of a developer portal to expose API documentation and manage plan subscriptions.
            • 01:00 - 01:30: Alert Engine and Access Management The chapter discusses the implementation of an alert engine using Slack as a notification channel for SLA alerts. It further explores access management by creating an OAuth2 application on top of the API for enhanced security. The use of Google as an identity provider for user sign-in, and integration with the Twitter API is demonstrated. The chapter concludes with embedding the entire experience on a web page.
            • 01:30 - 02:00: Deployment Models and Architecture The chapter discusses the architecture of the Gravity platform from a consumer and user perspective, including the integration of access management applications with previously created APIs. It also covers the cockpit solution for centralized management of Gravity components, and the process of installing or registering a new instance of the access management system, enabling a multi-environment setup.
            • 02:00 - 02:30: API Designer and Management This chapter discusses two different deployment models for API design and management. The first model involves hosting everything on top of a firewall, while the second involves having the firewall within your customer network. The chapter provides an example of deploying the full gravity solution within your network, whether that's on your preferred cloud provider or within your on-premise data center. A significant point highlighted is that each gravity deployment model may require different configurations.
            • 02:30 - 03:00: Creating and Managing API Plans Chapter Title: Creating and Managing API Plans Transcript Summary: This chapter discusses the deployment of components as Docker containers using various methods such as Kubernetes helm charts, Docker Compose instructions, and traditional installations on Windows and Linux. It further explores deploying services within a customer's network, focusing on exposing backend services (like Kafka topics or RESTful/SOAP services) through an API gateway. The importance of positioning the API gateway close to backend services for optimal performance is also highlighted.
            • 03:00 - 03:30: Using Developer Portal and Authentication This chapter covers the use of Developer Portal and Authentication, focusing on optimizing data source security and latency. It explains how to deploy Gravity Gateways to multiple locations, including partner networks, physical data centers, and the cloud, allowing management of all gateways and APIs from a single console. The chapter highlights the deployment of gravity consoles, management interfaces, and metadata for effective API management.
            • 03:30 - 04:00: Implementing Access Management The chapter "Implementing Access Management" discusses the management console functionality within a network, focusing on a developer portal used to discover APIs. It covers administration aspects, such as defining API appearances, backend orchestration, traffic shaping, and associated analytics. Default metadata and analytics are housed in specific components, with MongoDB and Elasticsearch mentioned as the default tools used by Gravity, highlighting the system's pluggability.
            • 04:00 - 04:30: Alert Engine and API Notifications This chapter discusses the integration of different data sets into a repository using JDBC for managing metadata within the Gravity backend. It describes how MySQL databases can be utilized to store this information. The chapter also explains the interaction between various components and gateways involved in running APIs, emphasizing the role of gateways in calling the metadata layer to extract necessary data.
            • 04:30 - 05:00: Access Management and OAuth2 Plan The chapter delves into access management and the OAuth2 framework. It highlights the process of managing access and executing APIs, discussing the backend services being proxied and the various traffic shaping policies in place. Critical information is stored in memory within the gateway, sourcing metadata from components like MongoDB or SQL Server. Furthermore, the chapter explores SaaS models, particularly for those comfortable with cloud-hosted services, and introduces a fully hosted offering.
            • 05:00 - 05:30: Cockpit Overview and Installation Management This chapter provides an overview of cockpit arrangements and the intricacies of managing installations. It begins by discussing the deployment of gateways within a cloud environment as part of a gravity SaaS (Software as a Service) solution. The cloud setup involves hosting various interfaces like the developer portal, console, and repositories, ensuring comprehensive management of all components. The flexibility of the solution is highlighted by allowing deployments of gateways both in the cloud and on-premise, depending on organizational preference. This offers dual deployment options: a fully cloud-hosted setup as SaaS or a hybrid model with both cloud and on-premise gateways.

            Gravitee Full Platform Demonstration Transcription

            • 00:00 - 00:30 hello everyone and welcome to this technical presentation of gravity i'm linus hawkinson and i head up the solutions engineering here at gravity so in this presentation and demonstration we will start with an introduction to the architecture of the gravity platform we'll then go into the platform overview to see what components are part of the existing offering for gravity we'll dive into each of the components so we'll have a look at the api designer how can we create an api from scratch using drag and drop functionality we'll dive into the api
            • 00:30 - 01:00 management piece and go through how we import and create new apis to manage how we configure different plans so people can access our apis we'll have a look at how we can expose the documentation and the plan subscriptions through our developer portal and then we'll go through our design studio to see how we can protect our apis through different policies and traffic shaping means and then finally we'll use the gateway to actually call our api to go through a full demonstration of what that looks like
            • 01:00 - 01:30 we'll also have a look at the alert engine which allows us to set up a notification i'm going to be using slack as the means of a channel there for one of our sla notifications and it will go through access management to see how we can take what we build but create an of2 application on top of our api to enable that kind of additional security will enable google as an lmd provider for the sign in for users that wants to authenticate twitter api and i will embed this whole experience in a web page to kind of illustrate how that can
            • 01:30 - 02:00 look like from a consumer and user perspective and we'll obviously connect our access management application with our api that we created previously and then finally we have a look at the cockpit solution that lets us get a single pane of glass of all the components in gravity and we'll look at how we can install a new or register router a new installation of our access management piece and now we can have you know a multiple environment set up with that so let's start by going through the architecture of the gravity platform so
            • 02:00 - 02:30 in here on this slide i have two different kind of deployment models i have the gravity south so where we host everything on top of uh the firewall here in the diagram and then we have the firewall within that firewall for example your customer network so let's take the example of where you would like to deploy the full gravity solution within your network whether that's within your favorite cloud provider or whether that is within your on-premise data center worth mentioning is that each gravity
            • 02:30 - 03:00 component can be deployed you know as a docker container we have a lot of kubernetes helm charts we have docker compose instructions you can run it on windows on linux using you know traditional installations and rpm packages etc etc so if you take the example here of deploying everything within the customer network now imagine you have some backend services that you would like to expose through an api gateway it might be a kafka topic it might be a restful api or soap service now typically you want to have the gateway or the gateways as close to
            • 03:00 - 03:30 those data sources as possible from a security and from a latency perspective so imagine you deploy you know a set of gravity gateways and gravity gateways can be deployed to multiple locations maybe you want to deploy some to your partner network some to your own physical data center maybe one two one sets the cloud you can then manage all of those gateways and all apis from within a single console so in this scenario let's say that you deploy the gravity consoles and the management interfaces as well as the metadata
            • 03:30 - 04:00 also within your network so the consoles and the management is basically for a developer portal for people to discover your apis it's also for administration to define what an api should look like what the backend should proxy the traffic shaping that goes with it and all the analytics now all the metadata and analytics information sit in a metadata component by default gravity uses mongodb and elasticsearch to provide that however we have a very pluggable
            • 04:00 - 04:30 solution that means that you can bring any type of data set to have as your repository for example through jdbc you can have a mysql database to store all your metadata and information that is used by the gravity backend to update and and read information so the relationship between those components and the gateways that actually run your apis is that the gateways will basically make a call to the manager sorry the metadata layer to extract the
            • 04:30 - 05:00 information it needs in order to execute and run the api so that is you know what backend service am i proxying what are the different traffic shaping policies all that information is stored in memory within the gateway and it reads that information from the metadata component whether that is mongodb or sql server or something like this now if you take a look at the sas models imagine that you don't have anything on premise or you you know you're fine with having accessible components in the cloud then you can of course use our completely hosted offering where we
            • 05:00 - 05:30 deploy the gateways in our cloud in a gravity sas solution um and then we also host the interfaces the developer portal the console the repositories we host all the components in our cloud now obviously that means that you would still be able to deploy gateways if you want to on-premise too so maybe you would have wanted to have some gateways deployed in in the cloud as a sas offering but you also want to have some gateways deployed to your on-premise but in this case maybe you don't want to
            • 05:30 - 06:00 deploy the full gravity solution there you're fine with gravity hosting the user interface and sending repositories so that's also a model you can have one user interface with gravity and manage multiple gateways and deploy apis to different gateways through a concept called shorting tags now obviously gateways can call backend services both from on-prem to the cloud or from the cloud to on-prem based on you know a vpn connection or how you can kind of configure a network and how your security team is looking at
            • 06:00 - 06:30 kind of cross-network uh communication there is a central component that allows you to control and manage and monitor all your gravity installations which we will go through later on in this demonstration which is called a cockpit so the cockpit is either a sas solution or something that can also be deployed for example within your firewall that lets you and your devops team manage and monitor all your gravity installations the gravity api ecosystem basically consists of five components
            • 06:30 - 07:00 so the bottom left we have the api designer so the api designer is a quite unique tool that lets both technical and non-technical users define and design the structure of the apis so if you're aware of concepts like open api or swagger definitions that traditionally have been created using quite technical approaches using json or gml definitions or api designer lets those users both technical speed up the creation and remove the
            • 07:00 - 07:30 errors in those specifications but also for non-technical users to have a drag-and-drop and very visual approach to defining for example for product owners what the api should look like and how it should respond then those definitions can be imported into our api management solution so our api management component basically consists of three main things so the first one is our console so that lets organizations manage the entire life cycle of apis and applications so you can
            • 07:30 - 08:00 import apis you can provide different types of policies on top of those apis to control you know how many times a consumer can call the api per minute what ip addresses we can call it from different types of transformation policies maybe to automatically convert the response from xml to json to the consumer and then we have a developer portal to where you can publish those apis and both anonymous and authenticated users can come in and view and discover apis and see the
            • 08:00 - 08:30 documentation even try the apis out and then potentially subscribe to the apis using various means of authentication maybe api keys oauth2 plans etc etc now a central component of course to the api management layer is the api gateway so the api gateway is a very performant kind of java based engine that lets you deploy and proxy your backend services so that you can have a layer of authentication and traffic shaping on top of that
            • 08:30 - 09:00 the alert engine is a additional tool that allows organizations to set up custom reports and sla structures so for example if you have an api that you're proxying for a backend service and you really need to make sure that if one of your consumers are having a response time that is you know twice as high as normal or twice as high as the response time of the backend api for instance you want to create and maybe a slack notification or send out an email to one
            • 09:00 - 09:30 of your operations groups for instance the alert gender is also used to provide out of the box alerts for things like you know your health of your infrastructure components when there's a problem there you want to be notified or for example using our access management component you have users that have too many failed you know assigning attempts so they have reset their passwords too many times that's also a concept of where the a large engine can you know send out notifications so the
            • 09:30 - 10:00 access management component is a component that basically provides a more secure layer on top of your apis so we can you know federate access across multiple entity providers such as you know open id connect supported providers azure id google facebook um all the other types of social accounts and what you can do is you can basically allow um your developers and and third parties
            • 10:00 - 10:30 to build very rich experiences that uses these secure sign-in processes to protect your apis such as oauth2 and we have biometric supports you can use facial recognition and fingerprint to have the users authenticating to the apis before those tokens are used to access the apis within our api management platform and then finally we have the cockpit so the cockpit is basically a control plane that allows you to have a central view and central kind of um user
            • 10:30 - 11:00 interface to monitor all the installations within your gravity api ecosystem as well as any you know alerts or monitoring information and global organizational settings that you can provide in this cockpit interface so let's start by defining an api in api designer we'll then have a look to see how we can control the access to that api and manage the entire lifecycle of it and i will also play around with alert engine and access management to see how
            • 11:00 - 11:30 we can provide an additional level of security on top of the api when building a rich mobile or web application and then also through the alert engine we'll see how we can set up some type of automated sla breach notifications and then we'll see how it all plays together using the cockpit and see how we monitor the whole installation and deployment of it so my use case is that i'm a company that provides information about vacations and trips
            • 11:30 - 12:00 that we have to offer so a trip for our vacation can for example be you know a cruise trip in the islands of greece for instance and it will have you know destinations multiple islands potentially it will have maybe an offer and whether or not this uh trip has already been sold out so as a product owner i might want to come in here in the api designer tool and define what that should look like then i will basically hand that specification the technical
            • 12:00 - 12:30 specification to my developers to have them implement the actual backend service to provide this information and then obviously i want as an api manager to come in and proxy data service and provide authentication and some type of traffic shaping um to ensure that it is up to the quality that my business requires so using the api designer i can either go and actually import existing specifications if i already have something based on on json swagger definitions or actually free mind templates as well
            • 12:30 - 13:00 to see if you know i can start on something that has already been been initiated by someone else or i can you guys can use an actual example model here for products or shops that comes with the the gravity api designer product currently we do not have any models here what i'm going to do is i'm going to create one from scratch i'm going to call this one vacations all right so now we have this kind of standard uh id and a simple attribute here just to get started and write some guidelines in terms of how we use this tool to create our definition
            • 13:00 - 13:30 what you will see here is that we basically have three main views of this api designer tool on the left we have the attribute editor so whenever i click here on the central piece on something it's gonna refresh the ui here on the left that specifically controls how this highlighted component should be set on the right hand side we have the in real time generated swagger open api specification documentation that has been generated based on the
            • 13:30 - 14:00 left components settings and the structure of the api that we find defined right here in the central piece so our main entry point is going to be four slash vacations and by default it's going to have an id and it's also going to have a few other attributes that we are going to create now what i can start doing is i can just specify what type of operations i want consumers to be allowed to take on this should they be able for example to search through a specific vacation in our database
            • 14:00 - 14:30 should they be able to create new vacation should it be able to read all of the vacations that we have available should be able to update them should be able to delete them now in my case i'm actually going to provide this to my consumers i don't want them to go and update or delete anything so i'm actually going to go ahead and remove and uncheck rather those two operations now what i'm going to have is i'm going to have one search operation that enables us to return all the vacations back to the
            • 14:30 - 15:00 user and then i'm going to have read operations well actually i'm not going to have a create either so let's go and remove that one so we just have these two simple operations one to retrieve all vacations and one to retrieve just a specific vacation identified by its id okay let's start by changing the default here for this attribute so i'm going to give this the label name here so this is to you know define our vacation by its name so an example of that could be for instance you know uh
            • 15:00 - 15:30 greece island cruise or something like this um so the name of the type you know the name of the actual cruise or vacation something like this um okay now i'm going to add a new one so just come here to locations i'm going to say i want a new one i'm going to call this one type so this will define what type of occasion it is so in our case it's going to be a cruise type of occasion so i'm going to say the type of vacation you know it could be you know flight it could be a cruise it could be
            • 15:30 - 16:00 anything all right then next what i'm going to do is i'm going to specify a destinations so as i'm enter entering plural here you might get the idea that i might have multiple destinations for my vacation it might be you know in this case when i'm going on my cruise in greece it might be several islands so i might say here you know um list of all the destinations for the location and an example here let's actually not provide an example because
            • 16:00 - 16:30 we're going to have you know child objects of this because i'm going to make this into not a text i'm going to make this into a list of destinations so for each of this a destination in my destinations list it's going to have a city so let's say for example you know i'm going to say the city of the destination and as an example here i'm going to say for example corvo so let's say one of those islands that i'm intending to have there
            • 16:30 - 17:00 and it might also have you know it might be multiple countries right that i'm going to be running my cruise on so let's call this one country and for description you know the country of the destination and then an example here i'm going to say greece okay then next thing i'm going to do is i'm going to have also an offer because i want to be able to provide some kind of commercial information about this vacation as well to my third parties and and through my consumers so i'm going to say the info about the existing offer
            • 17:00 - 17:30 for dedication and here i'm gonna just leave that by default i'm gonna have to create two sub attributes here so i'm gonna have one that i'm gonna call discount which is gonna be a uh let's put it as a number so that might be for example you know 0.25 percent or 25 rather so let's say the discount discount available something like this
            • 17:30 - 18:00 all right and then for the second parameter here i'm going to say that this is the description so it might be you know a limited uh you know description of the offer i'm going to say an example limited only until end of year or something like this all right just finally i'm gonna have just one property here that i'm gonna call sold out which is going to be of the type boolean so it's either sold out this vacation or it's not right so
            • 18:00 - 18:30 an example could be true yes it is sold out so if vacation is sold out or not now we could go and build this much more complicated we could have multiple kind of sub paths within our api but for now we're just going to leave this quite you know simple now as i mentioned in real time we're building up this documentation based on open api specification here so i can see and what would it look like if someone goes and call the get operation or the read operation to read all the vacations that i have
            • 18:30 - 19:00 so here we can see what an example response would look like based on this definition so the id the name the type the destinations are right here and the offer all you can see here with the descriptions or rather examples that i provided in the definition now i can also go and specify a specific vacation right so if i put in the id after my vacation resource i will then get just information about a single location and obviously if i would
            • 19:00 - 19:30 support create and update operations then we would provide examples of what you need to fit in to this particular api in order to create a new application i can also see the schemas here that defines you know also has the descriptions and examples of of my properties okay so i'm quite happy with this this is a good starting point so now it's a next step i obviously want to export this to my developer so they can actually use this as a template to implement the backend service that provides this
            • 19:30 - 20:00 information so what i'll do is i'll go here to dashboard and i'll have a few options here for my api i can download this as a jambo or json specification or i can deploy directly to the api manager so let's go and do that and see what it looks like within the api manager component okay so we can see here in our api management console that we have a list of apis here and one of them is called vacations api
            • 20:00 - 20:30 this red little icon means that it's not running as of now because obviously we just imported it so the api management component as we mentioned consists of three components it has the console which we're currently in right now this is where me as an administrator i can come in i can view my apis i can manage apis i can create new apis i can deploy them and manage the entire lifecycle and then we have the gateway and the portal which we'll be examining in a few moments so i already have a few apis here set up
            • 20:30 - 21:00 in my environment but obviously the new one that was just imported here is the vacations api now what i could have done is i could have gone and created a new api right and i could have said i want to create an api from scratch by defining you know the back end maybe import a uh some documentation for it or i can go and create an api by importing a swagger or open api descriptor file like a json or general one or i can actually go and import a whistle file to have gravity creating an api proxy on
            • 21:00 - 21:30 top on top of a soapy api for instance but in our case obviously what we did is we went through the api designer and deployed the api from within there so let's go ahead and explore what this looks like so it does a default description um that is configurable from the api designer we're not going to touch that for now here in a portal component this is all the settings that are relevant for how this api will be consumed and visible in our developer portal so we're
            • 21:30 - 22:00 going to come back to this one thing i wanted to show is the proxy so proxy is basically the backend service that this api is proxy now in our case we have to imagine that our team has already now implemented the vacation backend service so if i go here to endpoints we have actually that one already imported our backend server url that is actually serving the vacations api and the reason why this one is it's there by default is because we have that backend set up in our api designer component as the default
            • 22:00 - 22:30 server for our apis so we don't have to go and change anything there but this is effectively the backend service that we will be proxying to when we call this api right here on the gateway okay so going back to the portal there's a couple of things we need to do before people can go and consume this api we obviously need to start the api to actually have it being deployed to our api gateways and then we also need to publish the api to our developer portal
            • 22:30 - 23:00 now before someone can go and just you know consume this api in our developer portal we need to create one or more plans so a plan in gravity is effectively the contract between a consumer and actual api itself so our plan could be for example a free anonymous plan that allows anyone on the internet to subscribe and and call the api it could be a locked down plan maybe using an api key that is managed for each of your customers
            • 23:00 - 23:30 or it could be something like an oauth2 based plan that allows maybe people to sign in using a mobile application using their credentials in azure active directory to get access and call the api we're going to start by creating an anonymous plan so i'm going to say here let them call this one free open for all as the description i'm not going to have any conditions or subscription type of settings because this authentication type will be set to keyless okay so
            • 23:30 - 24:00 what i'm going to do though is for anyone using this plan specifically when calling to the api i.e not having an authentication so anyone not making any authentication to this api they will be enforced by a rate limiting so i'm going to say here that okay anyone that uses this api without any authentication they can mostly do five requests per minute okay so let's start with just using this plan and then we'll kind of add some other plans as we go along to see with the different
            • 24:00 - 24:30 types of user experiences we can have so we published this plan as we've kind of went through before we published in api we started the api the last thing we want to do before we actually go and experience this api as a consumer is we want to go into the documentation section here so as we obviously imported this from our api designer we expect to find the kind of entire swagger definition right here for us already configured one thing we want to do is we just want to go into the configuration here and i'm going to enable the try it mode
            • 24:30 - 25:00 so that people can actually try out and experience the api from within the environment in the developer portal so i'm going to save that and then finally i'm going to go and just go into my documentation here and publish this documentation to the developer portal now coming back to our generic details here for the portal over api we could also make this public meaning that no one needs to actually sign in to our developer portal to
            • 25:00 - 25:30 consume it which kind of makes sense because we have an anonymous plan anyway with a rate limiting but just to demonstrate what i want to do is i want to assign a specific user to get access to discover and use this api so rather than myself as the primary owner i'm also going to add another user here so i'm going to type in alice now alice actually sits within my external identity system and we're going to come on to that in a separate video but for now i'm just going to add her with the user role here to my api
            • 25:30 - 26:00 okay so next thing what i want to do is i want to open up my developer portal so this is the developer portal i've configured i've just done some some branding of the portal what i want to do is i want to see if i can see anything here so i can just go to the catalog now we don't have any apis that are actually public so i need to sign in to see any type of apis so while is i'll press the sign in button here and i can use a lot of different types of authentication we can hook up with you
            • 26:00 - 26:30 know azure active directory we can help up with google single sign-on or in this case i'm going to use the snaplogic access management as a kind of a teaser now that access management can then you know federate to multiple identity providers i think we have more than 17 or so identity providers that we support what i'm going to be doing is i'm going to be clicking this snaplogic am button then i'm going to select that i actually want to sign in with fingerprint device or security key and i'm going to type in my username which is alice and now it basically
            • 26:30 - 27:00 prompts me here to sign in with my mac touch id so we do support a lot of different types of biometric sign-in means and the user could sit basically in whatever identity provider that is available now i'm signing as alice so if i come in here to the catalog i expect expect obviously to find my vacations api available to me so i can come in here i can obviously view the documentation and here on this documentation i can see our vacations resource so obviously in our case we only enabled uh the search and kind of
            • 27:00 - 27:30 find impressions so we have the vacations to get all locations and we have the one to get a specific one based on id so as we mentioned we enable the try it mode on our documentation configuration so if i just click that try it just put in a let's say 10 as the id of the location and then i'll just hit the execute button now we got a response back here from our api again it has the example mock responses right with our
            • 27:30 - 28:00 discounts and our names obviously we didn't put any destinations in there but the uh you know the type of of a vacation etc and it's actually calling the gateway here um to get that mock response but in order for me to actually start using this api i might in some cases need to subscribe to it now in our case in this scenario obviously we had uh anonymous plan so basically anyone can use it you know so i would just be able to go and you know copy that url so let me just go
            • 28:00 - 28:30 and do that i can just copy it from from here for instance oops and i can then go and just let's try to just paste it in our browser to see what happens now we get that response this is coming from the mock generated by our our our implementation now let's go and hit this a couple of times so i'm going to make five calls here and eventually it's going to say you know rate limit exceeded you reach a limit of five requests per minute and that's because on this plan we put that limitation that if you use this anonymous plan you're
            • 28:30 - 29:00 going to have to to wait a bit when you've used the api five times so the next thing we want to do is we want to create another type of plan a plan that allows you to use the api as much as you want however you need to first get kind of approved and have your application being subscribed to the api so let's come back let's sign in as my admin user here so let's just go into my cockpit we're gonna come into that later and now i'm signing as my admin here
            • 29:00 - 29:30 again to my console let's just switch the switch environment here to my dev environment and into my apis so for my vacations api i want to go into plans and now i want to create a new plan so i'm going to call this one let's say let's call it one protected um if you don't say you know unlimited access let's just unlimited access to the api however we need to subscribe to this plan
            • 29:30 - 30:00 so you could set this to automatically validate anyone that subscribes to it but i'm going to leave that off for now and instead i'm going to set the authentication type to api key so now it means that in order to call this plan you need to pass an api key by default in the header so we're not going to apply any restrictions on this however we could actually so let's go and publish this plan we could say that we actually want to add some more traffic shaping to your api requests and responses so the design part of your api
            • 30:00 - 30:30 allows you to put any type of security or transformation policies and apply them to every request phase so basically before the request reaches your backend service and your proxy endpoint or you can have it applied to the response flow which means that we apply the transformation or the additional policy after we have received the response from the backend service but before we give it the you know give it back to the consumer to call the api
            • 30:30 - 31:00 so an example here we have already created for us a set of flows for our protected plan and our free plan so obviously our free plan contains this rate limit policy configured for the for the plan and our protected plan do not contain anything at all obviously it has an api key type based authentication on it for the actual resources on api so we have two api api resources we have vacations and verifications id we can actually go and apply specific
            • 31:00 - 31:30 policies on a very fine grained level so we can actually go and apply policies on you know when you make a get request to vacations or when you may get requests to applications with an id now as we imported this from a swagger specification through our api designer tool automatically we are applying mock policies so a mock policy is basically in this case looking at the swagger example that we provided in the designer and it's applying that in this mock
            • 31:30 - 32:00 policy as the response which means that the api call is not actually going to the backend service instead it's returning whatever we put here in the mock response which is automatically what we have based on the swagger that we're using so from us to actually reach the backend service i would need to go and disable or delete these policies let's go and do that for both of my resources right here so i'm going to go and delete the mock responses that are returned by default now let's say for some reason that for
            • 32:00 - 32:30 when i call vacations with id i can only do that from certain ip ranges because maybe that's a sensitive operation maybe it makes sense in this case but you know it could have been maybe a put operation where you want to have that only being allowed from a certain region or from a certain data center maybe within your organization so i'm going to say you need to be from for example you know this type of ip address which is obviously not an ip address that i'm going to be on but let's put that in i'm going to save that ip filtering
            • 32:30 - 33:00 policy now we have more than 40 policies here some of them are around security such as a key a certificate filtering on ip addresses we have transformation type of policies such as transforming the headers or the query parameters or the entire body either before the request reaches the back end or before it reaches your client that access the consumer or it can be calling out to other services it could be calling out aws lambda
            • 33:00 - 33:30 it could be you know doing a type of validation on the requests checking if there's the right type of current parameters or headers or whatever type of metadata that you want to check on before it reaches the back end for now we're just going to settle with this ip filtering policy after we have removed those ones for the mock so this is going to deploy this new version of our api i will head back to our developer portal and just try to call this again using this api key now obviously first we need to do a subscription so let me
            • 33:30 - 34:00 come back into my portal here and again i'm just gonna make sure that i'm signed in here as alice which i am so that's great so let's go into applications first i'm going to create a new application so what is an application an application is basically an entity that can be the identifier of a consumer of an api so in the case of a non-anonymous plan right so api key or of2 etc we need to have an application being the identity of the consumer that calls the
            • 34:00 - 34:30 api it will also mean that if i'm a developer and i create my application and i subscribe to a few apis it's going to allow me to view analytics and race support tickets etc based on my application so let's go and create a new application i'm going to call this one third party travel agent for example um my application something like this i can have an image if i want to
            • 34:30 - 35:00 that's gonna be fine okay let's say that i'm gonna build you know web applications now i could either go directly into the api actually let's go and do that or i could find the api here that i want to subscribe to but as i mentioned let's skip this and just create our application for now because we have this application now so let me go into the catalog again let me go into the list of apis i can only see the vacations api so let's go into that one and now what i can do is i can go here to the subscribe uh section and as we covered we have two plans we have a free
            • 35:00 - 35:30 open fraud plan and we have a protected that gives unlimited access to the api the free one has the keyless plan and a protected one has this personal key using a manual validation where someone actually have to has to approve us so let's go ahead and set next here and select our application which is our third party travel agent i'm going to say please approve your partner or something like this okay great so i'm going to just validate that request and then i'm going to basically require
            • 35:30 - 36:00 an approval from the api manager so let's come back to our console signed in as admin we can now see i have this little notification icon up here in the right hand of my screen it says that i have a new task so the application third party agent wants to subscribe to the vacations api using the protected plan and i can then go in and see the the message to why they want to be able to subscribe to this and i can go and accept it i can give a start and end date for how
            • 36:00 - 36:30 long the key will be valid but for now i'm just going to say that you know that's accepted to infinity effectively i could renew the api key from here i could revoke it but for now let's go back to alice into the developer portal so when i enter my third party uh application here i can go into subscriptions and i'll see that my subscription has now been accepted by the manager so that means that i have my api key so let's go and try to
            • 36:30 - 37:00 make a request using postman in this case to get the vacations available so let's go and copy this api key now let's open postman so i'm going to make a new request here so first let's put in our header that we just copied right here and just save it for now and then i'm going to be using the url here now for our gateway for our vacations api is going to put in right there now before i let's just add something temporary right here so let's say test for example let's try to call this
            • 37:00 - 37:30 actually let's add a an id as well let's add id now let's wait with that let's just keep it like this now we should here return the json here the response from the actual backend service for the cruise information so if i make a few calls here what i expect now is that we should have here we go we request we we reached our limit so now if i add the actual key here for my header so it's
            • 37:30 - 38:00 x gravity and this is something of course that you can customize for x gravity api key and then i pass this key here to identify me as a consumer to my application to this api so now i make this call you can see i could make you know as many calls i want to write because remember we didn't have a rate limit on our api key plan however if i do forward slash 10 here to call the resource for the vacations with id if you remember we added a policy to
            • 38:00 - 38:30 protect that one to only be access for certain ip addresses right so in my case i'm not going to be allowed to do that now what i can do as a third party here or someone that has an application is that i can of course go and add other people maybe my colleagues my developers as members to my application so they might also use the api key to call apis i might subscribe obviously to multiple apis if i want to i can also view any type of analytics
            • 38:30 - 39:00 information right so let's have a look for the last five minutes we can see we've made a couple of calls here to vacations and vacations with id you can see the you know some of the calls have been successful obviously some of them have not been successful we can kind of see some some nice graphs here i can view also you know where i'm calling this api from so i'm in sweden so we can see that that's where the api calls are coming from and obviously you know a manager could then customize dashboards and of course you can see other types of metrics and information
            • 39:00 - 39:30 available in the api management console so far we've covered the api designer and how we can import apis designed in the api designer to api management we've looked at how we can expose one of our apis through a developer portal using multiple types of plans and authentication we've had a look a bit on how our policies works in terms of ip filtering and rate limiting as some of the examples we've used
            • 39:30 - 40:00 the next component i wanted to focus on was the alert engine component so alert engine is basically a set of alerting capabilities across all of our products so in the api management product you can set up alerts for health about your environment actually consumers and application owners can set up alerts for their end-user third-party information so if you have you know a if you as a user and someone owning an
            • 40:00 - 40:30 application want to set up an alert in case of the response time taking too long you can actually do that from the developer portal and as an administrator and as an api manager you can set up you know as i mentioned health checks and you can set up things specifically on an api level which is what we're gonna do in in this demonstration so what i'm gonna be doing is i'm gonna go into my api console so here's our vacations api and i want to set up an alert in case
            • 40:30 - 41:00 someone calls my api and the response back is a 404 so if someone is trying to access something that doesn't exist i want to be able to get some type of alert in my case i want to subscribe to such alerts using my slack channel so how do i do this well i go into alerts here for my api i'm creating a new api a new alert i'm going to say that i want to call this one resource missing or something like this i'm going to enable this alert i'm going to say that this alert is a warning type of alert
            • 41:00 - 41:30 now as the rule we have a lot of different types of rules here in order to look for you know aggregations and thresholds i'm going to say specifically i want to alert when a metric hits a specific condition specifically i want it to alert when we have a response code being a 404. i can have a time frame here maybe i wanted to say that you know i only care in the middle of the night when other people are not actually managing the system but in this case let's go ahead and say that we want to to have these notifications on alerts
            • 41:30 - 42:00 happening whenever it happens i can check the response time i can see the upstream response time from the underlying api in my case i'm going to have a look at the status code so if the state is called is between so let's we could have had more more here but let's say you know it just loops just four or fours is what we care about now we can filter on on different other elements of the api request but let's keep that for now so any call store api that returns a 404 we want to have a notification so a
            • 42:00 - 42:30 notification we would first have to set up a uh so dampening is basically allowing us to not get spammed effectively in case something happens very very frequently we can have different types of dampening on the notifications let's keep the default for now and i'm going to add a slack channel here as part of my notification so i've set up a set up a slack channel already that's called alert engine and i also have a token that i can use that i've set up on slack which is
            • 42:30 - 43:00 obviously out of scope for this demonstration now for the message here i can obviously put any free text but i can also use our expression language to effectively build up a dynamic message based on the information in the request i'm going to be a bit lazy here and just copy uh message that i've prepared basically i'm saying that this name of the api returned and the response code 404 in this case from the user and here i'm just taking the browser information from the user agent
            • 43:00 - 43:30 that was in the request and also taking the country code and the continent so let's try this let's create this alert there we go and now what we need to do is obviously we need to go into postman and we need to make a 404 request but before we do that let's open my slack channel here so i have a slack channel here we have no messages other than for myself but we also have this slack bot available here in this channel so
            • 43:30 - 44:00 back to postmen this is where we obviously managed to make our request to vacations what if we now enter something that doesn't exist so let's say we try instead we try to use trips here in this case now what we expect is we basically get a 404 from the back end service because it's still trying to reach that but that we cannot get b1 trips now what i expect here if i just go back to my slack channel is i got a message here from the alert and about saying vacations api returned four or four from user postman
            • 44:00 - 44:30 runtime which is my user agent in this case my browser in sweden europe so that's just an example of how we can work with alerting and as i mentioned we can also set up alerts on suspicious behavior used through the identity platform you know for example too many password resets we can set up alerts on a platform level you know is your gateway having a specific cpu threshold that you want to to to monitor and also third parties and consumers can
            • 44:30 - 45:00 set up their alerts from a developer portal so the access management component we've actually already used it a bit when we signed into the developer portal using our fingerprint now in this use case what we want to do obviously we have this vacation api now and one of our partners might want to create a website or maybe we want to create a website where users can sign in and maybe view their applications and their offers etc so they need to access the api and it wouldn't make sense for each of
            • 45:00 - 45:30 those individual users to create their own application and register in a developer portal instead we want to make it a web-based experience where people just sign in in our case we can actually let them sign in with their google account and then we will basically authenticate the api using this token that we get from the access management component so the flow of this demonstration will basically be as you see on the screen so it's going to start with our application in that case it's going to be represented by a web page in the browser that is going
            • 45:30 - 46:00 to authenticate the user through the access management component so the access management component will have an application registered for that website it also will have a and we're going to set it up it will have a google identity provider so we will actually let users sign in with google as i've mentioned we can have a lot of different types of identity providers all being federated through the access management component and if the user is allowed to to sign in we're going to give an access token to the application ied the browser and
            • 46:00 - 46:30 the website and then the application and the website will then use that access token when it makes the call to our api which is our application api and if everything is okay and the token is validated with our access management component and everything looks good we're then going to forward the call to our backend service which in our case is obviously our application api backend now one other change we need to make here is we need to add a new plan to our vacation api and actually we may want to revoke
            • 46:30 - 47:00 one or two of the plans that we already have right we want to maybe move the anonymous one or maybe we want to move also the api token one and deprecate those plans and only use our new secure of2 based plan and this is what our access management console looks like we're currently looking at the dashboard where we can see different metrics in terms of the number of applications we have how many users are signing up signing in to the different applications so let's start by creating a new application we can either do that from here we can go to the application panel here we already have a few applications set
            • 47:00 - 47:30 up so let's go and create a new application and let's create a web application because this is effectively going to be the application that is used in our website for the name here i'm going to say let's call this going vacation web app something like this i need to give it a redirect uri so that when we sign in we know what web page to reach when we basically have been signed in successfully want to redirect back so this is the web page uh the server url for my web
            • 47:30 - 48:00 page that we will use as the vacation kind of application then for client id i need to put in a client id here um that i already have prepared in the website so the website is already prepared to try to reach an application on the gravity access management gateway and it already has an id it's using here so i'm just going to type in gravity travel client here and i'm going to let the secret automatically populate okay so now we have our application here
            • 48:00 - 48:30 now before we try it out we want to do a few settings first so one of the things i mentioned is that we're going to sign in with google um so we have this in our application we have this concept of our identity providers so i can go here and i can enable some of the identity providers that have already been configured so we have azure and our kind of default and salesforce now the ones that you see here depends on what i have set up here as part of my security domains available identity providers so let's go and create a new one for google so i'm going to go into
            • 48:30 - 49:00 settings i'm going to come in here to providers and here we see those four that i i've already created i'm going to create a new one so these are some of the identity providers that we support some of them are obviously have very generic protocols like http and laap and jdbc open id connect etc now specifically i want to use this google one because i want to have google sso as part of authenticating users to go and get their vacation information so let's call it my my google idp something like this
            • 49:00 - 49:30 and i've already created a client of the incline secret in google so that's kind of autoscope for this demonstration okay and that's it so i'm just going to create it like that okay so now if i come back to my vacation web app application right here and i go into my identity providers i expect to have this new my google idp so let's enable that one obviously you can have multiple ones and allow the user to sign in with multiple types of entry providers and then we can actually use our design component to do things like we can obviously brand howdy
            • 49:30 - 50:00 authentication and sign in and consent screens look like we can also create what we call flows which is very similar to how we do it in the api management components we can say if you sign in with google then actually we're going to call a third-party http service or we want to enrich your user profile based on certain claims and scopes etc for now let's just focus on our oauth2 type settings so the web application is going to use client credentials to as the grant type so let's enable
            • 50:00 - 50:30 that for now what we also want to do is we may want to have the user's profile being part of the sign-in select maybe we can display the profile picture of the user so the ones we're going to want here is we're going to want the open id scope and we also want to use the profile scope you can extend scopes and you can add your custom claims but let's just focus on getting this thing working with our api management component for now so let's just go and save this
            • 50:30 - 51:00 there we go okay so we have this application now what we can actually do is we can go in here to our overview you can actually try the login flow already from here let's try this in incognito window just making sure that i haven't signed in so what you see here on the screen is basically our default branded sign-in flow and again you can customize these very easily and for now we only have that google identity provider available to us so let's go and select that one it's going to take us and this is yeah let's change the the languages here quickly to to english all right so i'm going to enter my
            • 51:00 - 51:30 gravity google account details here so i'm just going to sign with that i'm going to sign in with my password and now hopefully okay it's actually asking me for a two-step verifications let me just quickly go in and enable that that's what we use here at gravity in terms of signing into our system so just now kind of pass that check using my my mobile phone okay great so now i'm signed in and the redirect uri now takes me to this uh browser here fantastic okay
            • 51:30 - 52:00 so let's close that down so we're not proving that we actually have this working and now we obviously just want to integrate that with our api management component so back in the gravity api management console we're going to come into our api the vacations api and the first thing we want to do is we want to actually create a resource for api so resource could be for caching or it could be in our case for connecting the access management application to the
            • 52:00 - 52:30 api so i'm going to go here into resources and i'm going to specify this one called the gravity ioim offer system server now for the resource name we can call this anything so let's go and call this one gravity am and for server url i'm going to use the my gravity am server url this is the latest version of the access management component this is the name of my security domain that i've created and now we just need to copy over the client id and client secret so the client id we know we can just go here and copy it and make
            • 52:30 - 53:00 that a bit quicker for us and then the client secret has been automatically generated we don't really know what it looks like we don't really have to and for now let's be happy with that and for the plans here what we can do is we can actually go and deprecate our to previous plans so we're not gonna support any open or actually any api key based authentication anymore we're gonna have a new plan now so let's go and create that and let's call this one uh you know oauth to plan very creative only to be used
            • 53:00 - 53:30 with registered applications okay and we let's try this out to validate subscription which means that anyone that applies to this with an application actually will be automatically validated we don't have to go as an admin and approve everyone let's just do that for now just kind of to demonstrate how that looks like now for authentication type we've already tried api key in keyless now we're going to try to off to one and now for the of2 resource we should be
            • 53:30 - 54:00 able to see our gravity am resist right here we could enable the extract of to payload option that would mean that in the design of our api we use our policies we could actually for example extract the user's profile you know username or id or something like this and send to our backend vacation api to only extract their vacation offers for example from the database but for now let's just not do that and just focus on getting the authentication there we're gonna save this as is we're not
            • 54:00 - 54:30 gonna apply any rate limiting on this plan so now we only have our new oauth2 plan let's deploy this api and the next thing we want to do is we want to create a new application within our api management piece now obviously there are concepts like dynamic client registration that we support which allows you to automate the client registration across your access and and api um application uh lists but for now let's just go and type in a name here so let's go and do vacation
            • 54:30 - 55:00 let's do vacation web web app it's kindly uh save that from last time and for let's just write temporary for description then for the type let's type in web and for our client id we need to have the same client id as we have in our access management and in our web page application on the in in the browser code so let's use the gravity travel client now last demonstration we went into the developer portal to subscribe to an api
            • 55:00 - 55:30 now here let's just go and use the um subscription inside the console which we can also do so i'm going to subscribe to that and as we mentioned we didn't use the approval process this time it's automatically validating um the the application all right so that should be it is creating the application there we go so now we have this application it should already be subscribed to our vacations api so that should be all good now the next thing we want to do is actually try this out so let's again
            • 55:30 - 56:00 open an incognito window and go to my web application so this is just a very very simple html based application that we have created we call it the vacation planner and i should be able to view my vacations here so when i click the view vacations what's actually happening is the browser sending a call to our vacations api now if i try that it's going to say unauthorized right because we do not pass a token at this point and remember we remove the anonymous plan so no one should be allowed to use this vacation api
            • 56:00 - 56:30 but what we want of course is the application here the browser to be allowed to call this vacation if a token a valid token is applied as well as part of that oauth2 plan okay so i'm not going to go and press the sign in button here it basically takes us to our sign-in flow that we kind of previewed before but now it's fully going to be integrated in a web application meaning the user is actually be signed into the application so let's go and use this my google idp here again and again i'm going to switch to to english here and i'm going to type in
            • 56:30 - 57:00 my gravity username and my password and i think this time it's not going to ask me well it will ask me for that two-step verification again that's great so let's just open up my mobile application and approval that okay good so we've signed it and now we can see here that we actually sign in as as my user now this web application actually is not implemented to support the profile picture but it could be so we actually do have access to it but for now we're just using this username here that we got from google
            • 57:00 - 57:30 now if i press view vacations here again what's going to happen is that we're going to pass the token that the browser now has for that user that's signed in using the access management component and then our api will use the resource to validate the token against the api sorry the access management gateway so let's try and see what happens when we press the view vacations api call again so there we go we got the full response here from the back end right so
            • 57:30 - 58:00 what happened again was that the api call was made to your api gateway and we passed a token a bearer token that we got from the access management piece and that was then kind of validated uh as part of api call from the gateway and we could have used things like of2 scopes and and different claims to you know propagate the request back to the backend service with some user information based on who signed it but for now we were happy with this we managed to add a another layer of security on top of our
            • 58:00 - 58:30 api and remove the api key and the anonymous access and securely rely on oauth2 with a google identity provider providing the user information and the user access so we've went through most of these components we went to see how the api designer can be used to use a drag-and-drop and very easy to use approach to define api swagger and open api specifications we've seen how we can import those in api management and protect and
            • 58:30 - 59:00 kind of control the traffic to our apis and how we expose them using the api management component and we've seen how we can get alerts to mediums like slack and we've seen now how we can use the access management component to add another layer of security on top of our apis the cockpit is a component that basically sits on top of all other components it's used to provide a single pane of glass for monitoring and controlling your entire gravity installation base so let's go and explore what the cockpit looks like
            • 59:00 - 59:30 so this is the cockpit landing page i have my organization set up here on my account rather called linhack this is where i have my gravity installation and environments now the top level kind of entity under an account here is an organization so you have one and group i t this could be you know regional organizations it could be kind of departments it's kind of completely up to you how you want to structure and create this hierarchy of of assets and relationships now within an organization
            • 59:30 - 60:00 you would have one or more environments so here i have dev and prod for instance so it allows me to kind of have a separation of user and assets across my different kind of virtual environments now what you see here is that i have a single installation of my gravity api management component so a single installation but still allowing multiple environments this is again completely up to you if you want to have a single environment having a one-to-one mapping with a single installation or
            • 60:00 - 60:30 as in this case that i've selected here is to have two environments being provided by single installation so i can just press the login button here and it's going to take me to my gravity api management console and i can just switch here between dev and prod that i've set up in in the cockpit so adding a new environment here allows me to have you know an additional environment here as well in my my access or my gravity api management component so just given this a refresh here and what it now tells me is to have a pending installation for my access
            • 60:30 - 61:00 management component so i'm not going to go through the process of installing and register your gravity installation with the cockpit but that's what i've done here so now i have a pending installation to go in and and allocate to one of my environments let's go and do that so i'm going to select this uh access management installation to be part of the group it prod environment so i'm going to accept that and then what i'll also do is i'll go into my dev environment here under my group it
            • 61:00 - 61:30 organization and i'm just going to select that for am i also want to associate that with my dev environment so there we go i should now have linked both of them and that takes me to ability to to sign in using this button right here so this is my dev environment i haven't created anything in there and then the one where we did our work was our prod environment here where we have our application so now i have two environments here i easy as that and i can get a good kind
            • 61:30 - 62:00 of overview of how it all fits together now here with our dashboard seeing that our new am management component has been associated with both for prod and dev environments so just go into the group i t dashboard here of my rupati organization i get a clear picture in terms of how the different components are up and running so it looks like our gateway still hasn't registered as we just installed it but we have information here for example that our apm gateways is up or running we can go and see more
            • 62:00 - 62:30 health information um about that particular component and as we covered with alert engine allergenin is is coming soon in terms of integrations uh it's probably already there uh in the release as you watch this this video the idea of a large engine within cockpit is to alert and allow you to subscribe to notifications across kind of organizational events that happens within your environment such as a node going down etc so that's how the cockpit works