How WSO2 API Manager caches work with ditribute mode.

I'm adding small note on cache that helps anyone to understand how cluster caches work in WSO2 API Manager. Please note this is applicable for only WUM updated API Manager 2.1.0 and later versions and API Manager 3.0.0 or later versions by default.

Cache invalidation can happen in the following three ways.
  1. Ones that get synced with other nodes in all cases (add, update, delete)
  2. Ones that get synced with other nodes only on updates & deletes.
  3. Ones that does not get synced with other nodes and only depend on the cache timeout.

We have three types of configs related to this,
a. ForceLocalCache config in carbon xml
Enabling this will do two things,
(i) Change all caches in the server to act as local caches
(II) Enable cache invalidation listener
b. IsDistributed flag in respective cache configs
Setting this value to false will just make that specific cache to act as a local cache.
c. Clustering configuration in axis2.xml
Having clustering enabled with the respective cluster configuration is needed to

When we have ForceLocalCache set as true (If we have ForceLocalCache set as true OOTB) and,
  • when the clustering correctly in place all the caches will work as #2.
  • when the clustering not configured all the caches will work as #3.
When we have ForceLocalCache set as false (Older versions of IS products have the ForceLocalCache set as false OOTB) and,
  • When the clustering correctly in place,
    • For caches marked as IsDistributed true will work as #1
    • For caches marked as IsDistributed false will work as #3
  • When the clustering not configured all the caches will work as #3 regardless of isDistributed true or false.
More details - https://docs.wso2.com/display/IS560/Setting+Up+Deployment+Pattern+1


Different Token Types and their Usages - WSO2 API Manage


Different token types and their usages

In this section of this document we have discussed about different token types and their usages in detail. Whenever users create applications to consume APIs they have choice to select application type. Application type can be JWT or OAuth 2.0. Based on the requirements users can select app types.

JWT token retrieval process and use for API invocation

WSO2 API Manager 3.0.0 have the possibility to use JWT Authentication as an alternative to invoke APIs. WSO2 API Manager supports the use of self-contained and signed JWT formatted access tokens as API credentials. When an API is secured using the OAuth2 security scheme, the JWT tokens that are issued for the users from the Developer Portal can be used to invoke APIs.
Figure - Security Flow


You need to first get a JWT token from the WSO2 identity server(or API Manager) by using the token endpoint with the password grant type. You can use the below mentioned curl command to get a JWT token

Curl -u : -k -d “grant_type=password&username=testuser&password=testuser” -H “Content-Type:application/x-www-form-urlencoded” https://localhost:8243/token

Here you need to replace the : with the relevant values of the service provider which is configured at WSO2 Identity Server. This will return the JWT token with a response similar to below.


{“access_token”:”eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJqb2huZG9lQGNhcmJvbi5zdXBlciIsImF1ZCI6WyJpcGtXTnlGMWZYdTRNYlNoRTZ2YUpHTkdrRElhIl0sImF6cCI6Imlwa1dOeUYxZlh1NE1iU2hFNnZhSkdOR2tESWEiLCJpc3MiOiJhcGltLWlkcCIsImV4cCI6MTUyODM2ODEwMCwiaWF0IjoxNTI4MzY0NTAwLCJqdGkiOiIxOTQxYmY5YS1jMTJkLTQ3NjYtOTMzMi02ZTg1YTNlNzI2MTIifQ.MiAZkGcOrog6KKYs5V1zED_ojQVs0vxZyFjPVjk29CPATaAEgpmH2Rq56kHJqhE3uQk4oSgMDJzp-Zk2CNPIRJYzy8pJaeP-gEE54NvRfDe1WHZJl72AAtEz9wEIQiKxkI4ZFdMlsnqmIdv8c0_lEfU4BXpH8Uho_Vatsvklv54WLEbSvHzf3M-0dioRnBDEf7xsImkcTGEsbulcKMNw9DOQFxlGLUv7r-qJIh9NUNlf0V7vXE9lVPaBSS8YDGKsjOV-PqnMAtmF6uL4eN36vcqMT5QP0C0s3pFJdz_YxEoN8xnrEn8_UNiJlZ-IxWooRFqQxFJri7fd4hlveoAKIQ”,”refresh_token”:”f723c75a-dd06–3b5e-99a6-b5291f3cab28",”token_type”:”Bearer”,”expires_in”:3600}



OAuth 2.0 token retrieval process and use for API invocation

OAuth 2 (Open Authorization) is an open standard for access delegation. It is used for token-based authentication and authorization. This standard is used by many technology providers, such as Google, Facebook, and Twitter. By using OAuth 2, it is possible to grant access to a secured resource (with an access token) for a specific period of time. Once the lifetime of that access token expires, the consumer has to refresh the token to obtain a new token.

By default, WSO2 API Manager’s key manager component is responsible for handling token-related operations. The key manager properly decouples operations to create OAuth applications and validate access tokens in OAuth 2.0 scenario. As a result, we can plug in a third-party authorization server for key validations if needed (e.g. WSO2 Identity Server or any other server which supports standard OAuth 2.0 protocol).
Figure - API Gateway processing flow


When a request comes to the API Gateway (i.e. when consuming an API), it will be validated with the key manager; access token validation occurs at this stage. The request is allowed to reach the backend endpoint only if the token is a valid token. This ensures that services exposed via APIs can only be consumed by authorized parties.
Figure - Security Flow


From API Manager 3.0.0 onward JWT token will be returned as default token. Before APIM 3.0.0 it was opaque OAuth 2.0 token. In below table we have listed features of both token types and their usages.

JWT
OAuth 2.0
Token revocation
Can do. Need ETCD(only for micro gateway) and JMS topic subscription to notify revoke tokens to gateway.
No need as token validation always happen against key manager when cache missed
Certificate Management
Need to have the same pair of keys as public/private cryptography used to validate signature
No need as token validation happens via service call.
Performance
Signature verification takes some time, no service calls or external communication
Depend on key validation flow, network delays and key manager side speed of processing
External Dependency
To validate JWT token API gateway do not need to communicate with key manager. JWT can be validated within gateway.
API Gateway need to communicate with key manager and validate access token.
Client Implementation
JWT and OAuth 2.0 access token generation and management almost same.
JWT and OAuth 2.0 access token generation and management almost same.
Scaling
When JWT token used API gateway do not have a dependency with external component such as key manager. Hence gateway can scale alone.
Gateway have dependency with key manager and scaling gateway need to scale key manager as well.

WSO2 API Manager Microgateway and Gateway Feature comparison - API Gateway vs. Microgateway 3.0.1


API gateway and microgateway can be compared in different aspects. Decision to select either of the gateways can be hugely depend on the architecture, design and deployment. Both of the gateways have most similar features and functionalities, but underlying works in a different manner in order to cater the purpose it was designed to. In this article we will discuss about different features supported by by each gateway type. Please note this comparison applicable for API Manager 3.0.1 version only.

Design and deployment comparison


API Gateway
Microgateway
Architecture
Designed for monolith
Designed for microservices
Horizontal Scaling
Scaling can be done with other components. As example traffic manager and key manager need to scale along with gateway.
Can scale independently as not direct run-time dependency with other components. Security, throttling validations happen within microgateway.
Deployment distribution
Centralized
Decentralized
Runtime footprint
Designed to run on high performing computers with high load (memory and high cpus)
Lightweight and can run on computers with low performance.
Isolated lock down environments
Limited functionalities(affect on throttling/ analytics)
Designed to work in a network isolated environment
Could ready
Yes
Yes
Automated API CI/CD flows
Supported using CLI tools
Supported with CLI tools
Update APIs
Mutable gateway, updating APIs supported
Immutable gateways. Rebuild the gateway upon updating the API

Security Comparison

API Gateway and microgateway both support different security mechanisms.

API Gateway
Microgateway
Oauth2 opaque tokens
Yes
Yes
Oauth2 self contained tokens
Yes
Yes
Mutual SSL
Yes
Yes
Basic Auth
Yes
Config based supported, can not plug user stores
API Keys
Yes
No


Feature Comparison

API gateway
Microgateway
SOAP back ends
Supported
Supported
REST APIs
Supported
Supported
JMS back-ends
Supported
Not supported
GraphQL APIs
Supported
Not supported
GRPC Services
Not supported
Not supported(will support in 3.1.0)
Web socket APis
Supported
Not supported
Custom mediation/transformation
Supported
Supported
Advance throttling(bandwidth, headers, IP address)
Supported
Not supported

Empowering the Future of API Management: Unveiling the Journey of WSO2 API Platform for Kubernetes (APK) Project and the Anticipated Alpha Release

  Introduction In the ever-evolving realm of API management, our journey embarked on the APK project eight months ago, and now, with great a...