[API Exposure] API Exposure

Forge Component
(3)
Published on 2019-02-15 by Guilherme Pereira
3 votes
Published on 2019-02-15 by Guilherme Pereira

At OutSystems digital team we've strategically decided in the past that as part of our Microservices strategy our public facing and most critical APIs should be deployed behind an API Gateway in order to increase the level of security and reliability of those APIs.

We've selected the Amazon AWS API Gateway as the gateway to use and after a few manual deployments we've reached the conclusion that the work necessary to deploy an API behind the API gateway is not only repetitive as it is error prone if done completely manual.

So we decided to invest in the creation of a tool that leverages the Amazon AWS API Gateway Connector as well as a Customized version of Swagger parser to allow the quick deployment of our OutSystems REST APIs behind the AWS API Gateway.

After speaking with a few partners and customers and be present in a great talk by one of our customers during the OutSystems Worldwide Developer Conference it was evident that this kind of solution is something that has the potential to be reused by our customers and partners so we've decided to release a cleaned version without dependencies to our internal applications.

Once again this component is NOT SUPPORTED BY OUTSYSTEMS.

Hello 

Does this mean that the REST APIs exposed by OutSystems  will not be accessible directly ?

Is so, how is this achieved ?

Regards

Amal 

Hi Amal,

This component does not prevent the API from being accessed directly.

There's a couple of ways you can do that. The first one is at network level by configuring your servers to only accept requests from the APIGateway and block everything else.

The other option is for you to control that at API level and although you cannot prevent it from being called you can validate if the request comes from the APIGateway by validating if it receives the header x-amzn-apigateway-api-id and if the id matches the id of the API on the API Gateway and also validate if the user agent of the request is something like AmazonAPIGateway_XXXX where XXX is the id of your API.

Something like:

Hope this helps

Guilherme

Guilherme Pereira wrote:

Hi Amal,

This component does not prevent the API from being accessed directly.

There's a couple of ways you can do that. The first one is at network level by configuring your servers to only accept requests from the APIGateway and block everything else.

The other option is for you to control that at API level and although you cannot prevent it from being called you can validate if the request comes from the APIGateway by validating if it receives the header x-amzn-apigateway-api-id and if the id matches the id of the API on the API Gateway and also validate if the user agent of the request is something like AmazonAPIGateway_XXXX where XXX is the id of your API.

Something like:

Hope this helps

Guilherme

Hello Guilherme,

Thank you very much for the quick and detailed response. 

It definitely helps. 


Best Regards

Amal 

Hi Guilherme!

Have you considered posting some documentation on exactly how you were doing manual deployments and the functioning of the AWS API Gateway Connector?

Are you using AWS Cognito for authentication in your APIs through API Gateway?

How exactly does your automation of deployment of REST APIs work?

Do you whitelist the API Gateway IPs or are you using the HTTP header checking mechanism mentioned above?

Thanks for taking the time sir.

Best,

Marcus

Hi Marcus,


Let me try and answer your questions

Hi Guilherme!

Have you considered posting some documentation on exactly how you were doing manual deployments and the functioning of the AWS API Gateway Connector?

Are you using AWS Cognito for authentication in your APIs through API Gateway?

How exactly does your automation of deployment of REST APIs work?

Do you whitelist the API Gateway IPs or are you using the HTTP header checking mechanism mentioned above?

Thanks for taking the time sir.

Best,

Marcus

Have you considered posting some documentation on exactly how you were doing manual deployments and the functioning of the AWS API Gateway Connector?

The manual deployments were done using the aws console. You can find documentation and examples on aws website or check this talk done by one of our customers during the OutSystems ODC in 2018 (which shows the same steps)

This component is supposed to be used as a baseline not as a finished product and we have no plans to further document it (it's open source after all). 


Are you using AWS Cognito for authentication in your APIs through API Gateway?

No. We use a combination of usage plans an we've recently introduced the use of Custom Authorizers for specific scenarios. All APIs still have their own authentication mechanism.


How exactly does your automation of deployment of REST APIs work?

The automation works by using the AWS .net SDK to follow he same steps you do on the console.


Do you whitelist the API Gateway IPs or are you using the HTTP header checking mechanism mentioned above?

We whitelist the IPs but we also use the header to validate the id of the API directly from the API Gateway.


Hope this helps,

Guilherme

Guilherme Pereira wrote:

Hi Marcus,


Let me try and answer your questions

Hi Guilherme!

Have you considered posting some documentation on exactly how you were doing manual deployments and the functioning of the AWS API Gateway Connector?

Are you using AWS Cognito for authentication in your APIs through API Gateway?

How exactly does your automation of deployment of REST APIs work?

Do you whitelist the API Gateway IPs or are you using the HTTP header checking mechanism mentioned above?

Thanks for taking the time sir.

Best,

Marcus

Have you considered posting some documentation on exactly how you were doing manual deployments and the functioning of the AWS API Gateway Connector?

The manual deployments were done using the aws console. You can find documentation and examples on aws website or check this talk done by one of our customers during the OutSystems ODC in 2018 (which shows the same steps)

This component is supposed to be used as a baseline not as a finished product and we have no plans to further document it (it's open source after all). 


Are you using AWS Cognito for authentication in your APIs through API Gateway?

No. We use a combination of usage plans an we've recently introduced the use of Custom Authorizers for specific scenarios. All APIs still have their own authentication mechanism.


How exactly does your automation of deployment of REST APIs work?

The automation works by using the AWS .net SDK to follow he same steps you do on the console.


Do you whitelist the API Gateway IPs or are you using the HTTP header checking mechanism mentioned above?

We whitelist the IPs but we also use the header to validate the id of the API directly from the API Gateway.


Hope this helps,

Guilherme

Very helpful. Thank you, sir.


Have you considered using client-cert auth between API gateway and the backend to further secure those API's?  I'm not sure how you would implement it from the OutSystems side but it would seem to be more robust than just checking a header.

Ideally, it would be nice if it were easier to support OAuth with OutSystems. IP restriction combined with basic auth seems to be the easiest mechanism at the moment.