Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar
SOLVED

API Gateway Best Practices

Go to solution
Thorsten
Level 4
Level 4
‎11-25-2022 03:09 AM
‎11-25-2022 03:09 AM

API Gateway Best Practices

Hi everyone,

 

we are using IP restrictions for Webservices (whitelist) and are facing more and more 3rd parties that cannot provide a (range of) static IP addresses to whitelist.

 

We are considering setting up an API gateway as proxy to help passthrough the calls in those kind of cases and still to be able to integrate them in Marketo. I am looking for some best practices around this really. If anyone of you could share some details about how they set this up, this would be much appreciated! I was looking for some blog posts on this, but couldn't find anything.

 

Some questions on my mind:

  • Would there be 2 authentications, first against the proxy and then against Marketo?
  • Can 3rd parties generally handle this extra layer of authentication? Or would the proxy have to behave 100% transparent to the service (generally speaking)?
  • Is it even "thinkable" to leave it "open" to the wild evil internet and only let Marketo handle the auth whilst the proxy only does basic "throttling" (and whatever else can be done to prevent bad stuff from happening)?
  • Would that make any sense at all, or would it be the same as dropping the IP restrictions in the first place?
  • Any other clever benefits of such a setup?
  • Can I use the words gateway vs proxy interchangeably?

Any pointers or shared experiences would be much appreciated!

 

Kind regards,
Thorsten

 

0 Likes
788
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎11-27-2022 01:01 PM
‎11-27-2022 01:01 PM

Re: API Gateway Best Practices

As you know, I’ve been encouraging API gateways for years. But Marketo users rarely take up the challenge. In turn, there’s no pressure on Marketo API consumers to build their products to be compatible with gateways.

 

One fundamental incompatibility is when a vendor lets you enter your Munchkin ID, but doesn’t let you enter a full hostname (or override the default hostname). This signals that they’re hard-appending .mktorest.com after the Munchkin ID, ruling out any rerouting via your gateway.

 

If you can get past that blocker (which is a very simple code change if they’re willing to make it) then:

 

Would there be 2 authentications, first against the proxy and then against Marketo?

Ideally, yes.

 

But you can use a header-based, non-expiring token to authenticate to the gateway, like the X-Api-Key header used by AWS API Gateway. A separate OAuth flow for gateway auth, and having them manage the Marketo OAuth flow at the same time, would be a bit much IMO. (But see below — it’s possible to publish only one OAuth flow.)

 

Authenticating to the gateway is critical for fine-grained rate limiting, which is the main reason I’ve been telling people to use API gateways w/Marketo — so a single API user can’t run away with all your API calls for the day.

 

Can 3rd parties generally handle this extra layer of authentication? Or would the proxy have to behave 100% transparent to the service (generally speaking)?

Depends.

 

Custom code and/or a highly maintained app and/or a highly flexible REST connector that just happens to be connecting to Marketo: absolutely.

 

Large, slowly evolving commercial codebase: probably not.

 

If you don’t require any additional headers, you just need them to support a hostname other than {:munchkinid}.mktorest.com.

 

Is it even "thinkable" to leave it "open" to the wild evil internet and only let Marketo handle the auth whilst the proxy only does basic "throttling" (and whatever else can be done to prevent bad stuff from happening)?

Yes. You could do IP-based throttling this way, yes (a simple config).

 

You could also build a totally transparent auth proxy without expecting them to do anything other than (what they’ll see as) standard Marketo OAuth. Here’s how that works:

  • you don’t tell them their Marketo OAuth creds
  • you internally map between API gateway OAuth creds and their “real” next-hop Marketo creds
  • they auth only with API gateway creds, using exactly the same path (/rest/identity) Marketo uses, so it works with their existing code
  • API gateway creds manage rate limits and so on
  • then you exchange the gateway creds for a Marketo creds and get a real Marketo token, but all that is hidden with the gateway
  • they continue to make calls to the gateway, and you can even change/restrict the payload before forwarding to Marketo

 

Would that make any sense at all, or would it be the same as dropping the IP restrictions in the first place?

It could still make sense.

 

For one thing, you could restrict people to certain payloads, which Marketo alone won’t let you do. Random examples: [1] only let an app dedupe by Lead ID, blocking them from inserting a new lead by Email Address; [2] don’t let an app read all fields on leads, just certain fields.

 

For another, you could still let only a particular set of Marketo credentials connect to this API gateway. So everyone else would still be subject to the IP restrictions. Specific apps could be forced through the API gateway.

Can I use the words gateway vs proxy interchangeably?

Yes, an API gateway is a reverse proxy.

View solution in original post

757
Reply
2 REPLIES 2
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎11-27-2022 01:01 PM
‎11-27-2022 01:01 PM

Re: API Gateway Best Practices

As you know, I’ve been encouraging API gateways for years. But Marketo users rarely take up the challenge. In turn, there’s no pressure on Marketo API consumers to build their products to be compatible with gateways.

 

One fundamental incompatibility is when a vendor lets you enter your Munchkin ID, but doesn’t let you enter a full hostname (or override the default hostname). This signals that they’re hard-appending .mktorest.com after the Munchkin ID, ruling out any rerouting via your gateway.

 

If you can get past that blocker (which is a very simple code change if they’re willing to make it) then:

 

Would there be 2 authentications, first against the proxy and then against Marketo?

Ideally, yes.

 

But you can use a header-based, non-expiring token to authenticate to the gateway, like the X-Api-Key header used by AWS API Gateway. A separate OAuth flow for gateway auth, and having them manage the Marketo OAuth flow at the same time, would be a bit much IMO. (But see below — it’s possible to publish only one OAuth flow.)

 

Authenticating to the gateway is critical for fine-grained rate limiting, which is the main reason I’ve been telling people to use API gateways w/Marketo — so a single API user can’t run away with all your API calls for the day.

 

Can 3rd parties generally handle this extra layer of authentication? Or would the proxy have to behave 100% transparent to the service (generally speaking)?

Depends.

 

Custom code and/or a highly maintained app and/or a highly flexible REST connector that just happens to be connecting to Marketo: absolutely.

 

Large, slowly evolving commercial codebase: probably not.

 

If you don’t require any additional headers, you just need them to support a hostname other than {:munchkinid}.mktorest.com.

 

Is it even "thinkable" to leave it "open" to the wild evil internet and only let Marketo handle the auth whilst the proxy only does basic "throttling" (and whatever else can be done to prevent bad stuff from happening)?

Yes. You could do IP-based throttling this way, yes (a simple config).

 

You could also build a totally transparent auth proxy without expecting them to do anything other than (what they’ll see as) standard Marketo OAuth. Here’s how that works:

  • you don’t tell them their Marketo OAuth creds
  • you internally map between API gateway OAuth creds and their “real” next-hop Marketo creds
  • they auth only with API gateway creds, using exactly the same path (/rest/identity) Marketo uses, so it works with their existing code
  • API gateway creds manage rate limits and so on
  • then you exchange the gateway creds for a Marketo creds and get a real Marketo token, but all that is hidden with the gateway
  • they continue to make calls to the gateway, and you can even change/restrict the payload before forwarding to Marketo

 

Would that make any sense at all, or would it be the same as dropping the IP restrictions in the first place?

It could still make sense.

 

For one thing, you could restrict people to certain payloads, which Marketo alone won’t let you do. Random examples: [1] only let an app dedupe by Lead ID, blocking them from inserting a new lead by Email Address; [2] don’t let an app read all fields on leads, just certain fields.

 

For another, you could still let only a particular set of Marketo credentials connect to this API gateway. So everyone else would still be subject to the IP restrictions. Specific apps could be forced through the API gateway.

Can I use the words gateway vs proxy interchangeably?

Yes, an API gateway is a reverse proxy.

758
Reply
Thorsten
Level 4
Level 4
‎12-02-2022 12:49 AM
‎12-02-2022 12:49 AM

Re: API Gateway Best Practices

Thank you Sanford for the insights!

In our scenario we were lucky and it seems the 3rd party we are working with currently can put an X-Api-Key in their header when communicating with our gateway.

But it's really good to have the options up our sleeve - as you said - depending on the next 3rd party integration that comes along. We'll keep your suggestions in the back of our heads for future reference. This is getting bookmarked 🙂

0 Likes
710
Reply
Home