API Governance - dennisholee/notes GitHub Wiki
- API Governance Committee
- API Steering Committee
| Culture | Change Capacity | Collaborate | |
| Information Maturity | Change Capacity | Collaborative Readiness | |
API Catalogue (API Portal)
https://www.sensedia.com/post/api-architecture-maturity-model
Idempotent REST APIs
Server-driven vs Agent-driven Content Negotiation
- HTTP Headers
- Content-Type: application/json
- Accept: application/json
- URL Patterns
- HTTP://.../page.xml
- HTTP://.../page.json
Accept-Encoding
- compress
- gzip Content-Encoding
Envelope Key exchange
Src: https://www.openidentityplatform.org/blog/stateless-vs-stateful-authentication
| Considerations | Stateful | Stateless |
|---|---|---|
| Session information could be stolen | ✅ It is impossible to steal session information from the session identifier because it is just an identifier associated with the session | ⛔Session identifier contains all authentication information and it is possible to steal sensitive information, it is not encrypted. |
| Resource consuming | ⛔When retrieving session information, the service always gets access to session storage which causes additional resource consumption. | ✅The session identifier contains all session information. |
| Easy to implement | ⛔When session information is stored in an external database, there is a need to implement session database persistence. | ✅Session identifier contains all session information, there is no need to implement additional functionality |
| Easy to scale | ⛔While adding new instances, there is a need to implement additional scale to session storage as well | ✅ Adding new service instances does not require additional effort |
| Possibility to compromise session data. | ✅Only the authentication system is able to retrieve session information from an authentication token, so there are no more vulnerabilities. | ⛔To decrypt session information from a token, all parts of the system should share the same key. And, if at least one system is compromised, all parts of the system are under the threat. |
| Authentication token size | ✅An authentication token is just an identifier, so session data does not affect its size. | ⛔If an authentication session contains a large amount of data, the authentication token also becomes large, which can cause additional load on a network. |
| Restrict access among different parts of an application | ✅It is possible to configure the system so different parts of the system will only have access to the data necessary for their work | ⛔All parts of the system have access to all session data |
| Possibility to revoke session | ✅It is possible to revoke a session at any time | ⛔Since the session token contains an expiration date, it is impossible to revoke the authentication session |
| Possibility to modify session data | ✅It is possible to modify any session data in session data storage. | ⛔Since the session token contains all session data, it is not possible to modify it |
| SSO implementation | ✅The integration of different parts of the system is possible without modification of the source code, session information can come through the authentication system gateway. | ⛔Changes must be made to each part of the system to retrieve data from an authentication token |
Firewall - PUT etc.
| Roles | Responsibilities |
|---|---|
| API Architect | API Policies |
| API Designer | Create API spects |
| API Developer | Implement API, |
| API Tester | |
| DevOps |
API Champions
Define and Implement Infrastructure, Services and Application to Support the Governance and Management System.
- Identify priority management objectives that may be achieved by automating services, applications or infrastructure.
- Select and implement the most appropriate tools and communicate to stakeholders.
- Provide training on selected tools, as required.
Categorize changes Impact Assessments
| | | | Target service consumers | Open, Partnership, Private | | Information
Service tier