TechEd2018 Revisited - API-First Reference Architecture

buco Business Consulting GmbH presented the Cloud and API-first reference architecture together with Wolfgang Hiemisch from Globus SBW Warenhaus GmbH & CoKg at TechEd.

Session CNA241: How Globus leverages Gigya & SAP Cloud Platform for its API-first strategy

We presented the following topics:

• Globus Cloud and API-First Architecture
• Use of Gigya and API Management
• Implementation of security strategies with Json Web Tokens (JWT)

IT architectures and IT structures in customer environments must meet different requirements than those in classic "System of Records" IT.

Traditional IT is optimized for cost efficiency and operational optimization. "Customer IT", on the other hand, must be focused on innovation and customer experience.

Customer IT must be dynamic, flexible, and agile. This requires a digital transformation.

To serve the various customer channels, e.g., mobile app, in-store, or website, two central components are needed. First, customer identities must be made available across channels. This is made possible through centralized Identity and Access Management. Second, data and services must be provided centrally for all channels via API Management and integration.

Some of these services must be provided through systems of the "System of Record" IT. These systems are often existing on-premise systems that must be securely and resiliently exposed via Cloud Connector through API Management.

To offer additional innovative services exposed via API Management, further flexible cloud systems are needed. This can either leverage services from external providers such as Amazon SES or use custom developments for distinctive, innovative services.

An example of custom microservice development is Globus's FuelAPI. The blog TechEd2018 Revisited - FuelAPI explores this in more detail.

The implementation at Globus was done using the SAP Cloud Platform and Gigya, which has meanwhile been acquired by SAP.

The SAP API Management and Cloud Platform Integration (CPI) are central components for providing services. Gigya serves as the central Identity and Access system in which all customer identities are managed.

SAP API Management and Gigya provide all required services as Restful (JSON) APIs. The SAP Cloud Platform Integration handles the processing of asynchronous (background) services.

The solution, which has been successfully operating for over six months, has already revealed insights that may lead to further optimization. For example, it is advisable not to consume Gigya APIs directly from channels but to use API Management to provide the Gigya API. The reasons for this include security aspects when used by different channels.

A very important aspect for successful implementation was also the availability of the SAP Cloud Connector. The Cloud Connector allows secure and scalable access to on-premise systems via API Management and CPI. Here too, some important insights have already emerged during operation, e.g., the use of separate Cloud Connector instances for development, testing, and production to increase fail-safety while remaining agile and flexible.

The security aspects of the solution must play a particularly important role in customer IT. Customer data must be protected to the highest degree, and data protection regulations set a very strict framework and possible sanctions here.

The challenge in the Globus architecture is that customers outside of Gigya do not exist as users in the systems, but only as data. It must now be ensured that a customer only has access to their own data.

The solution for this is Json Web Tokens (JWT).

• JSON Web Tokens conform to the open standard RFC 7519
• Method for secure access between two systems
• JWT is signed with the private Gigya key
• JWT signature verification via the Gigya public key
• JWT payload contains customer attributes, e.g., the card number

In API Management, the JWT is evaluated and validated through policies. Only valid JWTs enable access to customer services. Invalid JWTs are rejected by API Management.

If you are interested in a detailed presentation on JSON Web Tokens and API Management or have questions about this blog post, you can contact me by email at d.belser@buco-consulting.de.