Web API Management meets the Internet of Things

Paul Fremantle, University of PortsmouthDr. Jacek Kopecký, University of PortsmouthDr. Benjamin Aziz, University of Portsmouth

{paul.fremantle, jacek.kopecky,benjamin.aziz}@port.ac.uk

Abstract

• Web API Management is an extension to support Service Oriented Architectures on the public internet

• We examine how IoT networks work with Web API Management

• Built a prototype• Present the results and performance

evaluation

Definition of Web API Management

• Web APIs are capabilities offered across the web, accessed by software not people

• Web API Management adds:– Publishing of metadata– Sign-up and subscription– Key management– Access Control– Usage Control– Monitoring and Monetization

• References [1,2,3]

A typical Web API Management“Developer Site”

The Internet of Things

• Systems that connect the physical world to the Internet

• Sensors– Pollution, Weather, Health, House, Cars, etc

• Actuators– Lighting, Door locks, Motors, etc

• Low power requirements• Non-HTTP protocols such as MQTT and

CoAP

Research Questions

What is the impact of the Internet of Things onto Web APIs and Web API Management– How do IoT devices identify themselves

to Web APIs over IoT protocols?– How can we add IoT protocol support to

existing Web API Management systems?–What is the impact of adding identity,

usage control and analytics to existing IoT protocol interactions

Related Work

• Very little academic research into Web API Management– Raivio et al: business models of Open APIs in

telecoms [4]– Kopecky et al [5] challenges and approaches of

managing Web APIs

• Hypercat [6], ZettaJS [7] – open Web APIs for IoT• Existing gateways [8,9] are network bridges

sitting out in the field, not server-side capabilities• Some use of advanced access control and Oauth

– Fremantle et al [10] and Cirani et al [11]

The current situation

Majority of IoT networks today

Private API

Device

Web systems:Ecosystems, On-demand signup,rich set of clients

Gaps in the existing work

• Authentication and access control– But little work on publishing, signup,

usage control, monitoring, etc

• No extension of API management capabilities to IoT protocols such as MQTT and CoAP

• How to extend existing models to support large numbers of IoT clients

Contributions

• Identification of issues in the area• Creation of a prototype software

environment for exploration (IGNITE)– The first general intermediary for MQTT

• Demonstration that OAuth2 Dynamic Client Registration works in the context of IoT

• Experimental performance results

Background

OAuth2

• Emerged out of OpenID as an approach for machine-to-machine tokens using Web protocols

• A web-based API centric authentication and authorization standard

• Used extensively for API management• OAuth2 evolution:– OpenID Connect – User Managed Access (UMA)

Dynamic Client Registration

• IETF standard • Part of OAuth2 / OpenID Connect

family of standards• A RESTful API for Clients to register to

an OAuth2 authorization server• In the context of IoT allows each client

to have its own unique credentials– Important because of hardware / device

hacking possibilities

MQTT

• Very lightweight messaging protocol– Designed for 8-bit controllers, SCADA, etc– Low power, low bandwidth– Binary header of 2 bytes– Lots of implementations

• Mosquitto from Eclipse• Apache ActiveMQ and Apollo

– Clients:• Arduino, Perl, Python, PHP, C, Java, JS/Node.js, .Net, etc

• Plus an even lighter-weight version for Zigbee– MQTT-SN (Sensor Network)

API Portal

HTTP Gateway

IGNITE

Key Server

MQTT Broker

Web Client

IoTClient

HTTP Service

Monitoring

Existing Infrastructure(above dashed line)

REST

MQTT

DeveloperWeb

interaction

Newly added Infrastructure(below dashed line)

Public Internet(to left of dotted line)

Overall System Architecture

Implementation

• Open Source API Management solution– WSO2 API Manager

• Authorization Server– MitreID-Connect server from MIT– Open Source OAuth2 authorization server

• Message Broker– Based on Mosquitto– Open Source MQTT broker

• IGNITE– Intelligent Gateway for Networked IoT Events– Prototyped in Python and Java– Available at https://github.com/pzfreo/ignite

IGNITE

MITRE-Connect

Key Server

MosquittoMQTT Broker

Test SystemConnect

MQTT Subscriber

Publish

Test System

Performance Results

Conclusions

• IoT protocols can be added into existing API management capabilities orthogonally

• Extended existing work on adding OAuth2 to MQTT in a more flexible, extensible manner

• Enables Usage Control, throttling, and monitoring

Further Work

• Extend the IGNITE system beyond the simple Python prototype into a more robust system

• Add Usage Control, Throttling, Monitoring

• Explore CoAP

References1. Heffner, R.: The Forrester Wave: API Management Solutions, Q3 2014 (2014)2. Lane, K.: API Evangelist Blog. http://apievangelist.com/blog/ 3. Williams, A.: 5 Rules For API Management | TechCrunch. http://techcrunch.com

/2012/11/11/5-rules-for-api-management/ 4. Raivio, Y., Luukkainen, S., Seppala, S.: Towards Open Telco-Business models of API

management providers. In: System Sciences (HICSS), 2011 44th Hawaii International Conference on. pp. 1{11. IEEE (2011)

5. Kopecky, J., Fremantle, P., Boakes, R.: A history and future of Web APIs. Information Technology (2014)

6. Lea, R.: HyperCat: an IoT interoperability specication (2013)7. Zetta - An API-First Internet of Things (IoT) Platform - Free and Open Source Software,

http://www.zettajs.org/8. Chen, H., Jia, X., Li, H.: A brief introduction to IoT gateway. In: IET International Conference

on Communication Technology and Application (ICCTA 2011). Pp. 610{613 (2011)9. Zhu, Q., Wang, R., Chen, Q., Liu, Y., Qin, W.: IoT gateway: Bridging wireless sensor networks

into internet of things. In: Embedded and Ubiquitous Computing (EUC), 2010 IEEE/IFIP 8th International Conference on. pp. 347{352. IEEE (2010)

10. Fremantle, P., Aziz, B., Scott, P., Kopecky, J.: Federated Identity and Access Management for the Internet of Things. In: 3rd International Workshop on the Secure IoT (2014)

11. Cirani, S., Picone, M., Gonizzi, P., Veltri, L., Ferrari, G.: IoT-OAS: An Oauth-based Authorization Service Architecture for Secure Services in IoT Scenarios (2015)

Questions?

https://www.flickr.com/photos/-bast-

Acknowledgements The travel expenses of presenting this research paper were funded by the University of Portsmouth, Faculty of Technology Research Capital Investment Fund (RCIF) number 46175.