Are there any web services available on the internet which require basic username/password authentication?
Any kind of service would do: SOAP, REST, JSON, XML style...
I need one for my testing, but it looks like most web APIs these days are either publicly available or use OAuth.
The HTTP Client Testing Service at httpbin.org offers this functionality for testing.
Related
I'd like to have a page or a section of information that only is relevant to a specific API. Is that possible in the new portal?
In this case it has to do with information about event data that is sent out (to webhooks) when new items are created and that are then available in operations for the API. If it's not possible to have i an "API-specific" page, where would you put something like this?
I believe in this case you are trying to add some sort of static page or documentation to explain the functionality about a specific API. You may refer to this. As mentioned in the thread, you can try with swagger but in APIM portal it might not work immediately. Microsoft product team has confirmed that they working on improving support for OpenAPIv3. The ETA is about end of September.
However, you may also check the self-hosted gateway feature
The self-hosted gateway feature expands API Management support for hybrid and multi-cloud environments and enables organizations to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
Official Documentation
Project background: Building an API driven Learning Management System. The back-end system will be receiving data from multiple systems and interfaces: web, mobile, VR.
Looking at API Gateways to front our APIs. Preferably an Open Source API gateway but need to be sure that the support and service is available. Tried out Tyk.io and it feels like it might be the way to go. Been reading other StackOverflow threads around this and looks like TYK's gateway fairs quite well against the likes of Kong and WSO2.
Main areas of consideration for us are:
Rate-limiting
Open ID Connect authentication
Analytics
Scalability
Hybrid model of hosting - combination of on-prem and cloud depending on compliance requirements of educational institutes (Probably rules of AWS' gateway)
It would be really helpful if anyone who is using or has used TYK.io for their production projects can share their experience, especially for enterprise clients/projects.
Full disclosure: I work for Tyk, so of course think that Tyk is the best fit for your project ;)
Seriously, though - Tyk can do all those things you’re after. Here are some links to the documentation for each item that is big on your list:
Rate-limiting
Open ID Connect authentication
Analytics
Scalability
Hybrid model of hosting
You can also post on the Tyk community for help, if you haven’t already, or search to see what else others have said.
The Tyk Open Source API Gateway will do everything you need, even outputting analytics to difference sources, like ElasticSearch, Mongo or just CSV.
In addition, you can also use our API Management Platform to control your open source gateway. The Tyk API Management platform includes a Dashboard with analytics and out-of-the-box developer portal. Tyk is free to use, under a developer license, to manage a single gateway node, ideal if you are doing a POC.
Hope this helps and please keep in touch to let us know more about your use case.
I know CAS and I understand how it works in web applications contexts; now my customer would like to have a SSO system able in managing several applications (both stand alone and web applications)
I saw the RESTful APIs provided by CAS; I'ld like to use these APIs in my scenario but I'm missing how to use them.
Now...let's suppose I have the following applications:
java swing application
visual basic application
web application (Java based)
What I would like to do is to use the CAS APIs in order to do a SSO so that an user logged on one of the previous applications must no more log in on the other. Is this possible? If so...how may I do it?
I guess that the first thing to do is to do the request for a CAS ticket but then....how can I share this ticket between applications? Is there any good way and/or best practice to follow?
Thank you
Angelo
I already replied on the CAS mailing list: https://groups.google.com/forum/?fromgroups#!topic/jasig-cas-user/yhTwvj6-Sko...
Me and my team will be working on APIGEE which is an API development platform to expose some services in our application. I am going through their documentation and also trying to understand the need of APIGEE or any other API development platform like Mashery. One very good article on the need of API proxy as been very well explained in the given link, http://apievangelist.com/2011/06/11/the-battle-for-your-api-proxy/
One question that i am confused about is What is the difference between APIGEE and any ESB like ALSB or Mule. We know Apigee too supports message transformation via policies and protocols like http/https/soap.
Can anyone please tell me the differences between the two? Does Esb support more protocols like SMTP/JMS etc.
Any information is most welcome
Though API management definition is still evolving but API management is defined as transforming APIs to reach to your target audience [ here is a good description - http://searchcloudapplications.techtarget.com/definition/API-management].
This technology has it's root in SOA but different from ESB.
ESB is more for system-to-system integration but API tends to be securely exposing your internal systems in a managed fashion to wider audience - we call them "developers".
ESB tends to be equipped with many adapters and strong message oriented middleware for supporting different interaction patterns. It is also generally couple with business process management software to automate internal processes by integrating multiple services or systems.
API management also does some integrations and orchestrations but focus is more simplifying the interfaces to easier consumption of the services - that's why it is always come with developer on-boarding capabilities, security , caching , api design , oauth etc.
Apigee gateway service [ API management platform ] has support for limited JMS and SMTP functionality serving our diverse customer base and our technology stack is capable of building other protocol support.
Many API management products [ including Apigee gateway ] also include API analytics to help you getting insight of API program and API traffic.
Nowadays, APIGEE and Mule are direct competitors in the API management offering realm. In the case of Mule, there was a great transformation on the company, towards API-ification of all systems. Current Mule runtime is integrated with strong API management capabilities including analytics (functionalities from the former Mulesoft's API Gateway product, which was merged into the Mule runtime since v3.8.0), as well the usual ESB capabilities. Further info is available at Mule dev doc site.
API Management & ESB are two different capabilities which may have little overlap in terms of exposing the integrations themselves as API's which Mulesoft does.
Apigee also supports few ESB capabilities but it's not as exhaustive as Mulesoft. Ofcourse ESB is bigger scope & if you don't need that capability & just need API management with Full API lifecyle Mulesoft & APIGee both serves that need.
Personally I am a big fan of Mulesoft's API policies which comes out of box & it's an exhaustive list.
I am currently working on a REST/JSON API that has to provide some services through remote websites. I do not know the end-customers of these websites and they would/should not have an account on the API server. The only accounts existent on the API server would be the accounts identifying the websites. Since this is all RESTful and therefore all communication would be between end-user browser (through javascript/JSON) and my REST API service, how can I make sure that the system won't be abused by 3rd parties interested in increasing the middleman's bill? (where the middleman is the owner of the website reselling my services). What authentication methods would you recommend that would work and would prevent users from just taking the js code from the website and call it 1000000 times just to bankrupt the website owner? I was thinking of using the HTTP_REFERER , and translate that to IP address (to find out which server is hosting the code, and authenticate based on this IP), but I presume the HTTP_REFERER can easily be spoofed. I'm not looking for my customer's end customers to register on the API server, this would defeat the purpose of this API.
Some ideas please?
Thanks,
Dan
This might not be an option for you, but what I've done before in this case is to make a proxy on top of the REST calls. The website calls its own internal service and then that service calls your REST calls. The advantage is that, like you said, no one can hit your REST calls directly or try to spoof calls.
Failing that, you could implement an authentication scheme like HMAC (http://en.wikipedia.org/wiki/Hash-based_message_authentication_code). I've seen a lot of APIs use this.
Using HMAC-SHA1 for API authentication - how to store the client password securely?
Here is what Java code might look like to authenticate: http://support.ooyala.com/developers/documentation/api/signature_java.html
Either way I think you'll have to do some work server side. Otherwise people might be able to reverse engineer the API if everything is purely client side.