17

We have many REST services within our infrastructure and these are built using different technologies(Java, Go, Ruby, NodeJS) but all of them have certain common requirement like Authentication, Authorization, Rate limiting, Analytics etc so we are thinking to have a API gateway in front of these APIs so that all the communication happens through it only. I came to know about some open source products in market like Strongloop/Loopback, WSO2, TYK, APIAXLE & 3scale but most of these doesn't look like time tested and ready for production usage. Few things which are coming to my mind now:

  1. How is user feedback after using one of these solutions?
  2. Lot of people would need this kind of feature so how are they doing it? Am I looking in right direction?
  3. Is there a better way to solve my problem without using API Gateway?
ThinkFloyd
  • 4,893
  • 6
  • 33
  • 52
  • 1
    We ended up using [https://getkong.org Kong] for our purpose because its fast, easy to use and open source – ThinkFloyd Aug 04 '16 at 11:01
  • Hey, Can you provide a code example of how you are using kong with loopback? I am trying to figure out how the Authtoken for loopback can be passed through kong – Akshat Goel Nov 01 '17 at 20:10

2 Answers2

1

If I mention about WSO2 API Manager,

  1. As I know lot of people using it in production and provide good feedback about it.

  2. Yes. you can use API Manager for rate limiting. API Manager has feature called throttle tiers. you can use that feature for rate limiting. For other features like authentication and authorization you have to use API Manager with WSO2 identity server. For analytics feature you have to use API Manager WSO2 Business Activity Monitor. Integrating all these products you can achieve the features you have mentioned.

CodesInChaos
  • 100,017
  • 20
  • 197
  • 251
lakshman
  • 2,341
  • 6
  • 31
  • 60
1

I can answer for 3scale since I work there.

3scale is a complete API management platform that implements authorization, rate limiting and analytics for your API. We offer different integration options the most popular of which is our API gateway, that can be hosted by us or deployed on-premise.

This is an Nginx-based gateway that is deployed in front of your API servers and authorizes incoming calls by reaching to the 3scale API. The gateway extracts the API key of the incoming call and the endpoint that is being called and checks whether this particular request should be authorized (i.e. valid key, usage within limits, valid endpoint, etc).

One key part of our API gateway is that the authorization is performed asynchronously so that it has no impact on the latency perceived by the API user.

Regarding your particular questions:

  1. We have 600 customers using 3scale in production. This includes APIs with very large traffic volumes, some of which you can see and read about here.

  2. I'd say the main choice is between using an API management platform or implementing these features yourself. The advantage of using something like 3scale is that we specialize in exactly this problem and we provide other very useful features besides the basic authorization and rate limiting: a developer portal hosted by us where your API users can register and manage their keys, a billing system that you can use to offer paid plans for your API, support for advanced auth patterns like OAuth2 and others that you can read about in our website.

  3. You could also integrate 3scale in your API with one of our software libraries. However since you have multiple APIs written in different languages I'd recommend the API gateway since you will only have a single integration point (therefore easier to maintain).

As always the best is if you test it by yourself. We have a free plan with no time limits, so you can start there.

vdg
  • 294
  • 2
  • 9