The latest version of the WSO2 API Manager, released last September, looks very promising. It is not without reason that Forrester deems WSO2 API Manager to be a Leader in their Forrester Wave . So, what is new? In this blog, I am addressing the highlights of this new release without describing every nut and bolt that has changed.
The product still consists of the five main components:
- the API publisher to define and publish and manage APIs
- the development portal to find and subscribe to APIs
- the gateway which is the API runtime it is used when APIs are invoked
- the API key manager that takes care of key generation and key validation
- the API traffic manager which is responsible for the rate limiting and throttling of API requests
The changes can be found across these components, but the most visible ones are of course in the Publisher and the Devportal. Read the blog about the features of the previous version, WSO2 API Manager 3.1.0, here.
The previous version of the WSO2 API Manager already has the possibility to use a third-party key manager instead of the embedded functionality in the API Manager. This third party could be an identity server configured to be key manager (a separate version to be downloaded in conjunction with the API manager) or a true third-party key manager that supports Oauth2. In WSO2 API Manager 3.2.0 we now have functionality for admins or even tenant admins to configure multiple different key managers .
Workflow without separate BPS
The possibility to add a separate workflow engine to a number of the processes inside the API manager is something that has been around for a couple of years. This requires a standalone Business Process Server and the redirect from the API Manager for a number of processes like for instance self-signup and the creation of an application.
In the admin console you can find the tasks that the human needs to perform in order to allow this if a workflow the redirect is in place.
In this latest version we have an Approval workflow executor that can be enabled for the tasks related to application creation, subscription creation, application key generation, user self-sign up, and API state change. This does not require a standalone business process server anymore.
In the admin console there is now a task to be found.
Clicking accept or reject removes the pending tasks.
API Publisher Test Console
As part of the development process of the API, the API and publisher now allows you to try them out from the publisher itself and verify the functionality and the behavior of the API before you make them available in the dev portal. A nifty solution that makes sense.
We have the possibility to add Graph QL calls to the API Manager since the WSO2 API Manager 3.0.0 version. Because the nature of queries, there is now query complexity analysis added to calculate the amount of computational demand the query is going to generate. If this exceeds a threshold you set, it will be blocked. Allowing you to manage the load to the Graph QL server and limit the result set coming back.
OAuth 2.0 endpoint security
APIs created in WSO2 API Manager can directly access OAuth 2.0-protected endpoints without any extension to WSO2 API Manager next to Basic Auth and Digest Auth than have been available for more secure flows.
API Controller becomes more versatile
WSO2 API Manager enables users to utilize not only HTTP/REST endpoints but also HTTP/SOAP endpoints with endpoint routing policies such as load balancing and failover. In addition, this incorporates support for dynamic endpoints and AWS Lambda endpoints as well.
The API lifecycle status change support in WSO2 API Controller 3.2 provides users programmatically the ability to modify the lifecycle status of an API easily without accessing the Publisher UI. Also, possible, the ability to delete an API/application using a single command, allowing users to easily remove an unwanted API or application in an environment without signing into the Publisher or Developer Portal. The control of the API Manager looks to go more and more to APIs (next to the Publisher and Devportal). We see the demand for APIs as a way to manage APIs and Applications growing, not only in the WSO2 API Manager but also in the WSO2 Identity Server.
API key authentication
API key authentication support in API Operator provides a simple authentication scheme that accepts a valid self-contained JWT token issued for accessing APIs. Also new, the ability to determine if there are any restrictions to either IP address or HTTP referrer restriction, when generating a token.
WSO2 API Analytics
In the API Analytics we also see a number of changes. The API Analytics is a companion product that gathers (when enabled) API invocation details and analyzes / aggregates them to display them on one of the dashboards.
The Monitoring Dashboard helps to see the overall status (health) of an API by showing contextual information on APIs such as latency, throughput, errors, and traffic volume. The Publisher Analytics Dashboard has improved the experience of different audiences by offering more information.
The new Business Analytics Dashboard combines several new widgets with the widgets that initially existed in the Publisher Analytics Dashboard to provide an unrestricted view on the APIs for Managerial users. Some dashboards are renamed: The Developer portal Dashboard is now called Application Analytics Dashboard and the Admin Dashboard can be found as Reports Dashboard.
Alerting is an important part of analytics but because information related to API availability and alert listing is more related to analytics, it has been moved to the Monitoring Dashboard (from the API Manager Admin Portal). Several improvements have been made to the alert listing widgets.
The Admin portal has been revamped and is now also in ReactJS rather than Jaggery. Users now can customize and enhance the look and feel of the Admin Portal by extending the React components in the portal.
A very handy function: the subscription tier upgrade feature provides the capability to change the subscription tier of an already existing subscription without having to delete the subscription and re-subscribe to the same API.
If you look at the version number, WSO2 API Manager 3.1.0 versus WSO2 API Manager 3.2.0 it looks like it’s a minor increase. Nevertheless, there are a large number of small improvements that will make this new version worth checking out. There are many improvements I did not discuss or address, look at the WSO2 API Manager documentation to learn more.